diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 78189003c5..e8aa9bae33 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -13891,6 +13891,11 @@ "redirect_document_id": true }, { +"source_path": "windows/deployment/windows-autopilot/windows-10-autopilot.md", +"redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot", +"redirect_document_id": true +}, +{ "source_path": "windows/privacy/manage-windows-endpoints.md", "redirect_url": "/windows/privacy/manage-windows-1809-endpoints", "redirect_document_id": true diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index b3be0aa999..42532b3fb2 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 34e8b2d487..323ba3e4bd 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index e10552862b..9ea1e9de34 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -14,36 +14,30 @@ ms.date: 04/30/2018 >**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).** -Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). - >[!NOTE] >HoloLens devices must be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md) to manage updates. +For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business). -Mobile device management (MDM) providers use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to enable update management. +To configure how and when updates are applied, use the following policies: +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) +- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) -The Update policies supported for HoloLens are: +To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) -- [Update/RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) -- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) +In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)) - - -Typically, devices access Windows Update directly for updates. You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead: +For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead of Windows Update: - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) -In Microsoft Intune, use [a custom profile](https://docs.microsoft.com/intune/custom-settings-windows-holographic) to configure devices to get updates from WSUS. - - - ## Related topics -- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) \ No newline at end of file +- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) +- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 4e42bd0dad..0ac57ede0d 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -75,10 +75,16 @@ From here on, you'll need to finish the account creation process using PowerShel In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console: -- [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149) +- [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/en-us/download/details.aspx?id=41950) - [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids) - [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366) +Install the following module in Powershell +``` syntax + install-module AzureAD + Install-module MsOnline + ``` + ### Connecting to online services 1. Run Windows PowerShell as Administrator. @@ -200,8 +206,7 @@ In order to enable Skype for Business, your environment will need to meet the fo 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool - "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: @@ -356,18 +361,22 @@ In order to enable Skype for Business, your environment will need to meet the fo Import-PSSession $cssess -AllowClobber ``` -2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: +2. Retrieve your Surface Hub account Registrar Pool + +If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```PowerShell + Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* + ``` + +3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` - If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - - ```PowerShell - Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* - ``` + diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index dc151c3165..47f420a4d0 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index 86d594455f..8477cac86f 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 3e3aa60025..5a35a44360 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -150,6 +150,22 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.78.0 +*Release Date: 4 Dec 2018* + +This version of Surface Data Eraser: + +- Includes bug fixes + + +### Version 3.2.75.0 +*Release Date: 12 November 2018* + +This version of Surface Data Eraser: + +- Adds support to Surface Studio 2 +- Fixes issues with SD card + ### Version 3.2.69.0 *Release Date: 12 October 2018* diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 46ae3be55e..7325a15492 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -28,7 +28,7 @@ Specifically, SDT for Business enables you to: To run SDT for Business, download the components listed in the following table. >[!NOTE] ->In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (MSI.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md). +>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (msiexec.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md). Mode | Primary scenarios | Download | Learn more --- | --- | --- | --- diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 77fc4c027c..fee03a26b2 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -191,8 +191,10 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must ## Version History +### Version 2.26.136.0 +* Add support to Surface Studio 2 -### Version 2.21.136.9 +### Version 2.21.136.0 * Add support to Surface Pro 6 * Add support to Surface Laptop 2 diff --git a/education/docfx.json b/education/docfx.json index c01be28758..227546b56a 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/mdop/docfx.json b/mdop/docfx.json index a6ff6398ef..530722278f 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md index c9e289d2f4..7dffbbbb92 100644 --- a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md +++ b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md @@ -159,7 +159,7 @@ Removable Data Volume encryption status will not be shown in the report.

Policy-Fixed Data Drive

-

Indicates if encryption is required for the dixed data drive.

+

Indicates if encryption is required for the fixed data drive.

Policy Removable Data Drive

diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 02aa19ebf0..afa48aee66 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -8,10 +8,12 @@ ms.pagetype: mobile ms.author: elizapo author: lizap ms.localizationpriority: medium -ms.date: 08/23/2018 +ms.date: 12/12/2018 --- # Understand the different apps included in Windows 10 +>Applies to: Windows 10 + The following types of apps run on Windows 10: - Windows apps - introduced in Windows 8, primarily installed from the Store app. - Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. @@ -38,6 +40,8 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an > Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName > ``` +
+ | Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? | |----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| | Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | | Yes | @@ -83,10 +87,9 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an | Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | ---- + >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. ---- ## System apps @@ -98,6 +101,8 @@ System apps are integral to the operating system. Here are the typical system ap > Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation > ``` +
+ | Name | Package Name | 1703 | 1709 | 1803 | Uninstall through UI? | |----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| | File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x | No | diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 3381e948b9..1ae7911088 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -12,11 +12,19 @@ ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) ## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md) -### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md) -### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) -### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) -### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md) -### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) -### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) +### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md) +#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md) +#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) +### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) +#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) +#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) +#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) +#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) +### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md) +#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) +#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) +#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) +#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 793c6e9c21..91800241a0 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -9,13 +9,23 @@ ms.pagetype: security ms.localizationpriority: medium author: jdeckerMS ms.author: jdecker -ms.date: 11/30/2018 +ms.date: 12/06/2018 --- # Change history for Client management This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile. +## December 2018 + +New or changed topic | Description +--- | --- +[Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) | New +[Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) | New +[Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) | New +[Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) | New +[Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) | New + ## November 2018 New or changed topic | Description diff --git a/windows/client-management/images/check-disk.png b/windows/client-management/images/check-disk.png new file mode 100644 index 0000000000..2c5859470e Binary files /dev/null and b/windows/client-management/images/check-disk.png differ diff --git a/windows/client-management/images/controlset.png b/windows/client-management/images/controlset.png new file mode 100644 index 0000000000..fe9d3c8820 Binary files /dev/null and b/windows/client-management/images/controlset.png differ diff --git a/windows/client-management/images/loadhive.png b/windows/client-management/images/loadhive.png new file mode 100644 index 0000000000..62c6643140 Binary files /dev/null and b/windows/client-management/images/loadhive.png differ diff --git a/windows/client-management/images/pendingupdate.png b/windows/client-management/images/pendingupdate.png new file mode 100644 index 0000000000..19d8c9dec4 Binary files /dev/null and b/windows/client-management/images/pendingupdate.png differ diff --git a/windows/client-management/images/revertpending.png b/windows/client-management/images/revertpending.png new file mode 100644 index 0000000000..7b60c6446d Binary files /dev/null and b/windows/client-management/images/revertpending.png differ diff --git a/windows/client-management/images/rpc-error.png b/windows/client-management/images/rpc-error.png new file mode 100644 index 0000000000..0e0828522b Binary files /dev/null and b/windows/client-management/images/rpc-error.png differ diff --git a/windows/client-management/images/rpc-flow.png b/windows/client-management/images/rpc-flow.png new file mode 100644 index 0000000000..a3d9c13030 Binary files /dev/null and b/windows/client-management/images/rpc-flow.png differ diff --git a/windows/client-management/images/screenshot1.png b/windows/client-management/images/screenshot1.png new file mode 100644 index 0000000000..5138b41016 Binary files /dev/null and b/windows/client-management/images/screenshot1.png differ diff --git a/windows/client-management/images/sfc-scannow.png b/windows/client-management/images/sfc-scannow.png new file mode 100644 index 0000000000..1c079288a8 Binary files /dev/null and b/windows/client-management/images/sfc-scannow.png differ diff --git a/windows/client-management/images/tcp-ts-1.png b/windows/client-management/images/tcp-ts-1.png new file mode 100644 index 0000000000..621235d5b3 Binary files /dev/null and b/windows/client-management/images/tcp-ts-1.png differ diff --git a/windows/client-management/images/tcp-ts-10.png b/windows/client-management/images/tcp-ts-10.png new file mode 100644 index 0000000000..7bf332b57a Binary files /dev/null and b/windows/client-management/images/tcp-ts-10.png differ diff --git a/windows/client-management/images/tcp-ts-11.png b/windows/client-management/images/tcp-ts-11.png new file mode 100644 index 0000000000..75b0361f89 Binary files /dev/null and b/windows/client-management/images/tcp-ts-11.png differ diff --git a/windows/client-management/images/tcp-ts-12.png b/windows/client-management/images/tcp-ts-12.png new file mode 100644 index 0000000000..592ccf0e76 Binary files /dev/null and b/windows/client-management/images/tcp-ts-12.png differ diff --git a/windows/client-management/images/tcp-ts-13.png b/windows/client-management/images/tcp-ts-13.png new file mode 100644 index 0000000000..da6157c72a Binary files /dev/null and b/windows/client-management/images/tcp-ts-13.png differ diff --git a/windows/client-management/images/tcp-ts-14.png b/windows/client-management/images/tcp-ts-14.png new file mode 100644 index 0000000000..f3a3cc4a35 Binary files /dev/null and b/windows/client-management/images/tcp-ts-14.png differ diff --git a/windows/client-management/images/tcp-ts-15.png b/windows/client-management/images/tcp-ts-15.png new file mode 100644 index 0000000000..e3e161317f Binary files /dev/null and b/windows/client-management/images/tcp-ts-15.png differ diff --git a/windows/client-management/images/tcp-ts-16.png b/windows/client-management/images/tcp-ts-16.png new file mode 100644 index 0000000000..52a5e24e2b Binary files /dev/null and b/windows/client-management/images/tcp-ts-16.png differ diff --git a/windows/client-management/images/tcp-ts-17.png b/windows/client-management/images/tcp-ts-17.png new file mode 100644 index 0000000000..e690bbdf1c Binary files /dev/null and b/windows/client-management/images/tcp-ts-17.png differ diff --git a/windows/client-management/images/tcp-ts-18.png b/windows/client-management/images/tcp-ts-18.png new file mode 100644 index 0000000000..95cf36dbe7 Binary files /dev/null and b/windows/client-management/images/tcp-ts-18.png differ diff --git a/windows/client-management/images/tcp-ts-19.png b/windows/client-management/images/tcp-ts-19.png new file mode 100644 index 0000000000..4f2d239e57 Binary files /dev/null and b/windows/client-management/images/tcp-ts-19.png differ diff --git a/windows/client-management/images/tcp-ts-2.png b/windows/client-management/images/tcp-ts-2.png new file mode 100644 index 0000000000..cdaada6cb6 Binary files /dev/null and b/windows/client-management/images/tcp-ts-2.png differ diff --git a/windows/client-management/images/tcp-ts-20.png b/windows/client-management/images/tcp-ts-20.png new file mode 100644 index 0000000000..9b3c573f7e Binary files /dev/null and b/windows/client-management/images/tcp-ts-20.png differ diff --git a/windows/client-management/images/tcp-ts-21.png b/windows/client-management/images/tcp-ts-21.png new file mode 100644 index 0000000000..1e29a2061e Binary files /dev/null and b/windows/client-management/images/tcp-ts-21.png differ diff --git a/windows/client-management/images/tcp-ts-22.png b/windows/client-management/images/tcp-ts-22.png new file mode 100644 index 0000000000..c49dcd72ee Binary files /dev/null and b/windows/client-management/images/tcp-ts-22.png differ diff --git a/windows/client-management/images/tcp-ts-23.png b/windows/client-management/images/tcp-ts-23.png new file mode 100644 index 0000000000..16ef4604c1 Binary files /dev/null and b/windows/client-management/images/tcp-ts-23.png differ diff --git a/windows/client-management/images/tcp-ts-24.png b/windows/client-management/images/tcp-ts-24.png new file mode 100644 index 0000000000..14ae950076 Binary files /dev/null and b/windows/client-management/images/tcp-ts-24.png differ diff --git a/windows/client-management/images/tcp-ts-25.png b/windows/client-management/images/tcp-ts-25.png new file mode 100644 index 0000000000..21e8b97a08 Binary files /dev/null and b/windows/client-management/images/tcp-ts-25.png differ diff --git a/windows/client-management/images/tcp-ts-3.png b/windows/client-management/images/tcp-ts-3.png new file mode 100644 index 0000000000..ce3072c95e Binary files /dev/null and b/windows/client-management/images/tcp-ts-3.png differ diff --git a/windows/client-management/images/tcp-ts-4.png b/windows/client-management/images/tcp-ts-4.png new file mode 100644 index 0000000000..73bc5f90be Binary files /dev/null and b/windows/client-management/images/tcp-ts-4.png differ diff --git a/windows/client-management/images/tcp-ts-5.png b/windows/client-management/images/tcp-ts-5.png new file mode 100644 index 0000000000..ee64c96da0 Binary files /dev/null and b/windows/client-management/images/tcp-ts-5.png differ diff --git a/windows/client-management/images/tcp-ts-6.png b/windows/client-management/images/tcp-ts-6.png new file mode 100644 index 0000000000..8db75fdb08 Binary files /dev/null and b/windows/client-management/images/tcp-ts-6.png differ diff --git a/windows/client-management/images/tcp-ts-7.png b/windows/client-management/images/tcp-ts-7.png new file mode 100644 index 0000000000..4b61bf7e36 Binary files /dev/null and b/windows/client-management/images/tcp-ts-7.png differ diff --git a/windows/client-management/images/tcp-ts-8.png b/windows/client-management/images/tcp-ts-8.png new file mode 100644 index 0000000000..f0ef8300ba Binary files /dev/null and b/windows/client-management/images/tcp-ts-8.png differ diff --git a/windows/client-management/images/tcp-ts-9.png b/windows/client-management/images/tcp-ts-9.png new file mode 100644 index 0000000000..dba375fd65 Binary files /dev/null and b/windows/client-management/images/tcp-ts-9.png differ diff --git a/windows/client-management/images/unloadhive.png b/windows/client-management/images/unloadhive.png new file mode 100644 index 0000000000..e8eb2f859e Binary files /dev/null and b/windows/client-management/images/unloadhive.png differ diff --git a/windows/client-management/images/unloadhive1.png b/windows/client-management/images/unloadhive1.png new file mode 100644 index 0000000000..3b269f294c Binary files /dev/null and b/windows/client-management/images/unloadhive1.png differ diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 9231a68bbf..2e0b0840bd 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,9 +6,8 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/31/2018 +ms.date: 12/06/2018 --- - # BitLocker CSP > [!WARNING] @@ -795,13 +794,13 @@ The following diagram shows the BitLocker configuration service provider in tree **AllowWarningForOtherDiskEncryption** -

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

+

Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.

> [!Important] -> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) for value 0. +> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview). > [!Warning] -> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows. +> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. @@ -844,6 +843,16 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +>[!NOTE] +>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key. +> +>The endpoint for a fixed data drive's backup is chosen in the following order: + >1. The user's Windows Server Active Directory Domain Services account. + >2. The user's Azure Active Directory account. + >3. The user's personal OneDrive (MDM/MAM only). +> +>Encryption will wait until one of these three locations backs up successfully. + **AllowStandardUserEncryption** Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account. @@ -854,7 +863,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. -The expected values for this policy are: +The expected values for this policy are: - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index cf28233abe..a4f77849fe 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -80,10 +80,10 @@ Query parameters: - Bundle - returns installed bundle packages. - Framework - returns installed framework packages. - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle. - - XAP - returns XAP package types. + - XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile. - All - returns all package types. - If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned. + If no value is specified, the combination of Main, Bundle, and Framework are returned. - PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. diff --git a/windows/client-management/mdm/images/block-untrusted-processes.png b/windows/client-management/mdm/images/block-untrusted-processes.png new file mode 100644 index 0000000000..c9d774457e Binary files /dev/null and b/windows/client-management/mdm/images/block-untrusted-processes.png differ diff --git a/windows/client-management/mdm/images/device-manager-disk-drives.png b/windows/client-management/mdm/images/device-manager-disk-drives.png new file mode 100644 index 0000000000..44be977537 Binary files /dev/null and b/windows/client-management/mdm/images/device-manager-disk-drives.png differ diff --git a/windows/client-management/mdm/images/disk-drive-hardware-id.png b/windows/client-management/mdm/images/disk-drive-hardware-id.png new file mode 100644 index 0000000000..cf8399acf4 Binary files /dev/null and b/windows/client-management/mdm/images/disk-drive-hardware-id.png differ diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 72b31a82e2..eb70f310ec 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: jdeckerms -ms.date: 09/12/2018 +ms.date: 10/09/2018 --- # Mobile device management @@ -23,12 +23,15 @@ There are two parts to the Windows 10 management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). ## MDM security baseline With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices. +>[!NOTE] +>Intune support for the MDM security baseline is coming soon. + The MDM security baseline includes policies that cover the following areas: - Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall @@ -38,7 +41,7 @@ The MDM security baseline includes policies that cover the following areas: - Legacy technology policies that offer alternative solutions with modern technology - And much more -For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/). +For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip). diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index cf0794e951..4d9e65932e 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 09/20/2018 +ms.date: 12/06/2018 --- # What's new in MDM enrollment and management @@ -1760,6 +1760,12 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### December 2018 + +|New or updated topic | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.| + ### September 2018 |New or updated topic | Description| diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index f73ed9e092..82eb7ed2c3 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/30/2018 +ms.date: 11/15/2018 --- # Policy CSP - Bluetooth @@ -352,15 +352,21 @@ Footnote: ## ServicesAllowedList usage guide -When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG). +When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG). -To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. +- Disabling a service shall block incoming and outgoing connections for such services +- Disabling a service shall not publish an SDP record containing the service being blocked +- Disabling a service shall not allow SDP to expose a record for a blocked service +- Disabling a service shall log when a service is blocked for auditing purposes +- Disabling a service shall take effect upon reload of the stack or system reboot + +To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID. Here are some examples: -**Bluetooth Headsets for Voice (HFP)** +**Example of how to enable Hands Free Profile (HFP)** BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB @@ -370,8 +376,22 @@ BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB Footnote: * Used as both Service Class Identifier and Profile Identifier. -Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB +Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB +**Allow Audio Headsets (Voice)** + +|Profile|Reasoning|UUID| +|-|-|-| +|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E| +|Generic Audio Service|Generic audio service|0x1203| +|Headset Service Class|For older voice-enabled headsets|0x1108| +|PnP Information|Used to identify devices occasionally|0x1200| + +This means that if you only want Bluetooth headsets, the UUIDs to include are: + +{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} + + **Allow Audio Headsets and Speakers (Voice & Music)** |Profile |Reasoning |UUID | |---------|---------|---------| |HFP (Hands Free Profile) |For voice enabled headsets |0x111E | -|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110A | -|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | -|Device ID (DID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | +|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110B| +|Generic Audio Service|Generic service used by Bluetooth|0x1203| +|Headset Service Class|For older voice-enabled headsets|0x1108| +|AV Remote Control Target Service|For controlling audio remotely|0x110C| +|AV Remote Control Service|For controlling audio remotely|0x110E| +|AV Remote Control Controller Service|For controlling audio remotely|0x110F| +|PnP Information|Used to identify devices occasionally|0x1200| -{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; **Classic Keyboards and Mice** |Profile |Reasoning |UUID | |---------|---------|---------| |HID (Human Interface Device) |For classic BR/EDR keyboards and mice |0x1124 | -|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | -|DID (Device ID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | +|PnP Information|Used to identify devices occasionally|0x1200| -{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; -> [!Note] -> For both Classic and LE use a super set of the two formula’s UUIDs **LE Keyboards and Mice** |Profile |Reasoning |UUID | |---------|---------|---------| -|Generic Access Atribute |For the LE Protocol |0x1801 | +|Generic Access Attribute |For the LE Protocol |0x1801 | |HID Over GATT * |For LE keyboards and mice |0x1812 | |GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | |DID (Device ID) |Generic service used by Bluetooth |0x180A | @@ -433,10 +453,12 @@ Footnote: * The Surface pen uses the HID over GATT profile |---------|---------|---------| |OBEX Object Push (OPP) |For file transfer |0x1105 | |Object Exchange (OBEX) |Protocol for file transfer |0x0008 | -|Generic Access Profile (GAP) |Generic service used by Bluetooth |0x1800 | -|Device ID (DID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | - -{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +|PnP Information|Used to identify devices occasionally|0x1200| +{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} +Disabling file transfer shall have the following effects +- Fsquirt shall not allow sending of files +- Fsquirt shall not allow receiving of files +- Fsquirt shall display error message informing user of policy preventing file transfer +- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index c11cd41c96..702252a71e 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -463,10 +463,13 @@ If you disable or do not configure this policy setting, devices can be installed For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). -To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu: +You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives: -![Hardware IDs](images/hardware-ids.png) +![Disk drives](images/device-manager-disk-drives.png) +Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**: + +![Hardware IDs](images/disk-drive-hardware-id.png) > [!TIP] diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md new file mode 100644 index 0000000000..349f5fce9f --- /dev/null +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -0,0 +1,280 @@ +--- +title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device +description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/11/2018 +--- + +# Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device + +This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. + +## Causes of the Inaccessible_Boot_Device Stop error + +Any one of the following factors may cause the stop error: + +* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack + +* File system corruption + +* Changes to the storage controller mode or settings in the BIOS + +* Using a different storage controller than the one that was used when Windows was installed + +* Moving the hard disk to a different computer that has a different controller + +* A faulty motherboard or storage controller, or faulty hardware + +* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions + +* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command) + +## Troubleshoot this error + +Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps. + +1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088). + +2. On the **Install Windows** screen, select **Next** > **Repair your computer** . + +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** . + +### Verify that the boot disk is connected and accessible + +#### Step 1 + + At the WinRE Command prompt, run `diskpart`, and then run `list disk`. + +A list of the physical disks that are attached to the computer should be displayed and resemble the following display: + +``` + Disk ### Status Size Free Dyn Gpt + + -------- ------------- ------- ------- --- --- + + Disk 0 Online **size* GB 0 B * +``` + +If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (*) in the **GPT** column. + +If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. + +#### Step 2 + +If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`. + +`list vol` generates an output that resembles the following display: + +``` + Volume ### Ltr Label Fs Type Size Status Info + + ---------- --- ----------- ----- ---------- ------- --------- -------- + + Volume 0 Windows RE NTFS Partition 499 MB Healthy + + Volume 1 C OSDisk NTFS Partition 222 GB Healthy Boot + + Volume 2 SYSTEM FAT32 Partition 499 MB Healthy System +``` + +>[!NOTE] +>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer. + +### Verify the integrity of Boot Configuration Database + +Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt. + +To verify the BCD entries: + +1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. + + An example output if the computer is UEFI-based: + + ``` + device partition=\Device\HarddiskVolume2 + path \EFI\Microsoft\Boot\bootmgfw.efi + ``` + + An example output if the machine is BIOS based: + ``` + Device partition=C: + ``` + >[!NOTE] + >This output may not contain a path. + +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. + + >[!NOTE] + >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. + + ![bcdedit](images/screenshot1.png) + +If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** . + +After the backup is completed, run the following command to make the changes: + +
bcdedit /set *{identifier}* option value
+ +For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:` + + If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`. + +If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`. + +If the files are missing, and you want to rebuild the boot files, follow these steps: + +1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows: + +``` +D:\> Mkdir BootBackup +R:\> Copy *.* D:\BootBackup +``` + +2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows: + + ```cmd + Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL + ``` + + For example: if we assign the ,System Drive> (WinRE drive) the letter R and the is the letter D, this command would be the following: + + ```cmd + Bcdboot D:\windows /s R: /f ALL + ``` + + >[!NOTE] + >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. + +If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: + +1. Start **Notepad** . + +2. Press Ctrl+O. + +3. Navigate to the system partition (in this example, it is R). + +4. Right-click the partition, and then format it. + +### Troubleshooting if this issue occurs after a Windows Update installation + +Run the following command to verify the Windows update installation and dates: + +```cmd +Dism /Image:: /Get-packages +``` + +After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages: + +![Dism output](images/pendingupdate.png) + +1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer. + + ![Dism output](images/revertpending.png) + +2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. + +3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**. + +4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**. + +5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive + + ![Load Hive](images/loadhive.png) + +6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. + +7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. + + ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) + +8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive. + +9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value. + +10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on. + +11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key. + +### Verifying boot critical drivers and services + +#### Check services + +1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.) + +2. Expand **Services**. + +3. Make sure that the following registry keys exist under **Services**: + + * ACPI + + * DISK + + * VOLMGR + + * PARTMGR + + * VOLSNAP + + * VOLUME + +If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**. + +If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: + +```cmd +cd OSdrive:\Windows\System32\config +ren SYSTEM SYSTEM.old +copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\ +``` + +#### Check upper and lower filter drivers + +Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers: + +1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**. + +2. Look for any **UpperFilters** or **LowerFilters** entries. + + >[!NOTE] + >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**. + + The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** : + +\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F} + +![Registry](images/controlset.png) + +If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value. + +>[!NOTE] +>There could be multiple entries. + +The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry. + +>[!NOTE] +>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. + +### Running SFC and Chkdsk + + If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt: + +* `chkdsk /f /r OsDrive:` + + ![Check disk](images/check-disk.png) + +* `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` + + ![SFC scannow](images/sfc-scannow.png) + diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md new file mode 100644 index 0000000000..6865732607 --- /dev/null +++ b/windows/client-management/troubleshoot-networking.md @@ -0,0 +1,20 @@ +--- +title: Advanced troubleshooting for Windows networking issues +description: Learn how to troubleshoot networking issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: +--- + +# Advanced troubleshooting for Windows networking issues + +In these topics, you will learn how to troubleshoot common problems related to Windows networking. + +- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md) +- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md) +- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) +- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md) diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 0ae0f55f3f..1ec7b52b6a 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -101,7 +101,7 @@ The memory dump file is saved at the following locations. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: ->[!video https://www.youtube.com/embed?v=xN7tOfgNKag] +>[!video https://www.youtube.com/watch?v=xN7tOfgNKag&feature=youtu.be] More information on how to use Dumpchk.exe to check your dump files: diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md new file mode 100644 index 0000000000..ba947f741a --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -0,0 +1,109 @@ +--- +title: Troubleshoot TCP/IP connectivity +description: Learn how to troubleshoot TCP/IP connectivity. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot TCP/IP connectivity + +You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity. + +When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue. + +* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released. + +* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. + +* TCP reset is identified by the RESET flag in the TCP header set to `1`. + +A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed. + +The following sections describe some of the scenarios when you will see a RESET. + +## Packet drops + +When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection). + +The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. + +If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times. + +Source side connecting on port 445: + +![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png) + +Destination side: applying the same filter, you do not see any packets. + +![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) + +For the rest of the data, TCP will retransmit the packets 5 times. + +**Source 192.168.1.62 side trace:** + +![Screenshot showing packet side trace](images/tcp-ts-8.png) + +**Destination 192.168.1.2 side trace:** + +You would not see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network. + +If you are seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you are trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there is no response, then there could be a wfp drop. + +## Incorrect parameter in the TCP header + +You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. + +In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators. + + +## Application side reset + +When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset. + +The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. + +In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source. + +**Source Side** + +![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png) + +**On the destination-side trace** + +![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png) + +You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet. + +![Screenshot of packet flag](images/tcp-ts-11.png) + +The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. + +>[!Note] +>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet + + +```typescript +10.10.10.1 10.10.10.2 UDP UDP:SrcPort=49875,DstPort=3343 + +10.10.10.2 10.10.10.1 ICMP ICMP:Destination Unreachable Message, Port Unreachable,10.10.10.2:3343 +``` + + +During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet. + +```typescript +auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable +``` + +You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it. + +![Screenshot of Event Properties](images/tcp-ts-12.png) + +Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection. + +![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md new file mode 100644 index 0000000000..a82076e8d9 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -0,0 +1,60 @@ +--- +title: Collect data using Network Monitor +description: Learn how to run Network Monitor to collect data for troubleshooting TCP/IP connectivity. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Collect data using Network Monitor + +In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. + +To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. + +![A view of the properties for the adapter](images/tcp-ts-1.png) + +When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch. + +**To capture traffic** + +1. Click **Start** and enter **Netmon**. + +2. For **netmon run command**,select **Run as administrator**. + + ![Image of Start search results for Netmon](images/tcp-ts-3.png) + +3. Network Monitor opens with all network adapters displayed. Select **New Capture**, and then select **Start**. + + ![Image of the New Capture option on menu](images/tcp-ts-4.png) + +4. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. + + ![Frame summary of network packets](images/tcp-ts-5.png) + +5. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. + +The saved file has captured all the traffic that is flowing to and from the network adapters of this machine. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. + +**Commonly used filters** + +- Ipv4.address=="client ip" and ipv4.address=="server ip" +- Tcp.port== +- Udp.port== +- Icmp +- Arp +- Property.tcpretranmits +- Property.tcprequestfastretransmits +- Tcp.flags.syn==1 + +>[!TIP] +>If you want to filter the capture for a specific field and do not know the syntax for that filter, just right-click that field and select **Add *the selected value* to Display Filter**. + +Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. + + + diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md new file mode 100644 index 0000000000..8fb6da7063 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -0,0 +1,196 @@ +--- +title: Troubleshoot port exhaustion issues +description: Learn how to troubleshoot port exhaustion issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot port exhaustion issues + +TCP and UDP protocols work based on port numbers used for establishing connection. Any application or a service that needs to establish a TCP/UDP connection will require a port on its side. + +There are two types of ports: + +- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection. +- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers. + +Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443. + +In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*. + +## Default dynamic port range for TCP/IP + +To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**. + +You can view the dynamic port range on a computer by using the following netsh commands: + +- `netsh int ipv4 show dynamicport tcp` +- `netsh int ipv4 show dynamicport udp` +- `netsh int ipv6 show dynamicport tcp` +- `netsh int ipv6 show dynamicport udp` + + +The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. + +```cmd +netsh int set dynamic start=number num=range +``` + +The start port is number, and the total number of ports is range. The following are sample commands: + +- `netsh int ipv4 set dynamicport tcp start=10000 num=1000` +- `netsh int ipv4 set dynamicport udp start=10000 num=1000` +- `netsh int ipv6 set dynamicport tcp start=10000 num=1000` +- `netsh int ipv6 set dynamicport udp start=10000 num=1000` + +These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000. + +Specifically, about outbound connections as incoming connections will not require an Ephemeral port for accepting connections. + +Since outbound connections start to fail, you will see a lot of the below behaviors: + +- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. + + ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png) + +- Group Policy update failures: + + ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png) + +- File shares are inaccessible: + + ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png) + +- RDP from the affected server fails: + + ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png) + +- Any other application running on the machine will start to give out errors + +Reboot of the server will resolve the issue temporarily, but you would see all the symptoms come back after a period of time. + +If you suspect that the machine is in a state of port exhaustion: + +1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step. + +2. Open event viewer and under the system logs, look for the events which clearly indicate the current state: + + a. **Event ID 4227** + + ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png) + + b. **Event ID 4231** + + ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) + +3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. + + ![Screenshot of netstate command output](images/tcp-ts-20.png) + +After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + +You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + +>[!Note] +>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. +> +>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. + +4. Open a command prompt in admin mode and run the below command + + ```cmd + Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl + ``` + +5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion. + +## Troubleshoot Port exhaustion + +The key is to identify which process or application is using all the ports. Below are some of the tools that you can use to isolate to one single process + +### Method 1 + +Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process: + +```Powershell +Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending +``` + +Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports. + +For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. + +### Method 2 + +If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager: + +1. Add a column called “handles” under details/processes. +2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe. + + ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png) + +3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds. + +### Method 3 + +If Task Manager did not help you identify the process, then use Process Explorer to investigate the issue. + +Steps to use Process explorer: + +1. [Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**. +2. Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**. +3. Select **View \ Show Lower Pane**. +4. Select **View \ Lower Pane View \ Handles**. +5. Click the **Handles** column to sort by that value. +6. Examine the processes with higher handle counts than the rest (will likely be over 10,000 if you can't make outbound connections). +7. Click to highlight one of the processes with a high handle count. +8. In the lower pane, the handles listed as below are sockets. (Sockets are technically file handles). + + File \Device\AFD + + ![Screenshot of Process Explorer](images/tcp-ts-22.png) + +10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. + +Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles. + +As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: + +```cmd +netsh int ipv4 set dynamicport tcp start=10000 num=1000 +``` + +This will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. + +>[!NOTE] +>Note that increasing the dynamic port range is not a permanent solution but only temporary. You will need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why its consuming such high number of ports. + +For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend. + +``` +@ECHO ON +set v=%1 +:loop +set /a v+=1 +ECHO %date% %time% >> netstat.txt +netstat -ano >> netstat.txt + +PING 1.1.1.1 -n 1 -w 60000 >NUL + +goto loop +``` + + + + +## Useful links + +- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status + +- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) + diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md new file mode 100644 index 0000000000..c747c000a8 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -0,0 +1,187 @@ +--- +title: Troubleshoot Remote Procedure Call (RPC) errors +description: Learn how to troubleshoot Remote Procedure Call (RPC) errors +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot Remote Procedure Call (RPC) errors + +You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error. + +![The following error has occurred: the RPC server is unavailable](images/rpc-error.png) + +This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. + +Before getting in to troubleshooting the **RPC server unavailable*- error, let’s first understand basics about the error. There are a few important terms to understand: + +- Endpoint mapper – a service listening on the server, which guides client apps to server apps by port and UUID. +- Tower – describes the RPC protocol, to allow the client and server to negotiate a connection. +- Floor – the contents of a tower with specific data like ports, IP addresses, and identifiers. +- UUID – a well-known GUID that identifies the RPC application. The UUID is what you use to see a specific kind of RPC application conversation, as there are likely to be many. +- Opnum – the identifier of a function that the client wants the server to execute. It’s just a hexadecimal number, but a good network analyzer will translate the function for you. If neither knows, your application vendor must tell you. +- Port – the communication endpoints for the client and server applications. +- Stub data – the information given to functions and data exchanged between the client and server. This is the payload, the important part. + +>[!Note] +> A lot of the above information is used in troubleshooting, the most important is the Dynamic RPC port number you get while talking to EPM. + +## How the connection works + +Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake. + +![Diagram illustrating connection to remote server](images/rpc-flow.png) + +RPC ports can be given from a specific range as well. +### Configure RPC dynamic port allocation + +Remote Procedure Call (RPC) dynamic port allocation is used by server applications and remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, and so on. RPC dynamic port allocation will instruct the RPC program to use a particular random port in the range configured for TCP and UDP, based on the implementation of the operating system used. + +Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports. Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner. + +As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](https://support.microsoft.com/help/832017). +The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers. + +Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass. + +With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: + +**HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Entry name Data Type** + +**Ports REG_MULTI_SZ** + +- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid. + +**PortsInternetAvailable REG_SZ Y or N (not case-sensitive)** + +- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available. + +**UseInternetPorts REG_SZ ) Y or N (not case-sensitive)** + +- Specifies the system default policy. +- If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. +- If N, the processes using the default will be assigned ports from the set of intranet-only ports. + +**Example:** + +In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system. + +1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc + +2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ). + + For example, the new registry key appears as follows: + Ports: REG_MULTI_SZ: 5000-6000 + PortsInternetAvailable: REG_SZ: Y + UseInternetPorts: REG_SZ: Y + +3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive. + +You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other. + +>[!Note] +>The minimum number of ports required may differ from computer to computer. Computers with higher traffic may run into a port exhaustion situation if the RPC dynamic ports are restricted. Take this into consideration when restricting the port range. + +>[!WARNING] +>If there is an error in the port configuration or there are insufficient ports in the pool, the Endpoint Mapper Service will not be able to register RPC servers with dynamic endpoints. When there is a configuration error, the error code will be 87 (0x57) ERROR_INVALID_PARAMETER. This can affect Windows RPC servers as well, such as Netlogon. It will log event 5820 in this case: +> +>Log Name: System +>Source: NETLOGON +>Event ID: 5820 +>Level: Error +>Keywords: Classic +>Description: +>The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.' + +If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/). + + +## Troubleshooting RPC error + +### PortQuery + +The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you are able to make a connection by running the command: + +```cmd +Portqry.exe -n -e 135 +``` + +This would give you a lot of output to look for, but you should be looking for **ip_tcp*- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”: + +```cmd +Portqry.exe -n 169.254.0.2 -e 135 +``` +Partial output below: + +>Querying target system called: +>169.254.0.2 +>Attempting to resolve IP address to a name... +>IP address resolved to RPCServer.contoso.com +>querying... +>TCP port 135 (epmap service): LISTENING +>Using ephemeral source port +>Querying Endpoint Mapper Database... +>Server's response: +>UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d +>ncacn_ip_tcp:169.254.0.10**[49664]** + + +The one in bold is the ephemeral port number that you made a connection to successfully. + +### Netsh + +You can run the commands below to leverage Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation. + +- On the client +```cmd +Netsh trace start scenario=netconnection capture=yes tracefile=c:\client_nettrace.etl maxsize=512 overwrite=yes report=yes +``` + +- On the Server +```cmd +Netsh trace start scenario=netconnection capture=yes tracefile=c:\server_nettrace.etl maxsize=512 overwrite=yes report=yes +``` + +Now try to reproduce your issue from the client machine and as soon as you feel the issue has been reproduced, go ahead and stop the traces using the command +```cmd +Netsh trace stop +``` + +Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) or Message Analyzer and filter the trace for + +- Ipv4.address== and ipv4.address== and tcp.port==135 or just tcp.port==135 should help. + +- Look for the “EPM” Protocol Under the “Protocol” column. + +- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use. + + ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png) + +- Check if we are connecting successfully to this Dynamic port successfully. + +- The filter should be something like this: tcp.port== and ipv4.address== + + ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png) + +This should help you verify the connectivity and isolate if any network issues are seen. + + +### Port not reachable + +The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. + +![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png) + +The port cannot be reachable due to one of the following reasons: + +- The dynamic port range is blocked on the firewall in the environment. +- A middle device is dropping the packets. +- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc). + + + diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md new file mode 100644 index 0000000000..f758b36a67 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip.md @@ -0,0 +1,20 @@ +--- +title: Advanced troubleshooting for TCP/IP issues +description: Learn how to troubleshoot TCP/IP issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Advanced troubleshooting for TCP/IP issues + +In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment. + +- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) +- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) +- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) +- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md new file mode 100644 index 0000000000..47d03fef10 --- /dev/null +++ b/windows/client-management/troubleshoot-windows-startup.md @@ -0,0 +1,19 @@ +--- +title: Advanced troubleshooting for Windows start-up issues +description: Learn how to troubleshoot Windows start-up issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: +--- + +# Advanced troubleshooting for Windows start-up issues + +In these topics, you will learn how to troubleshoot common problems related to Windows start-up. + +- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) +- [Advanced troubleshooting for Stop error or blue screen error](troubleshoot-stop-errors.md) +- [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index a142517a28..8f2904b128 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -16,7 +16,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t | | | --- | --- - | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

A single-app kiosk is ideal for public use.

(Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

A single-app kiosk is ideal for public use.

(Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

A multi-app kiosk is appropriate for devices that are shared by multiple people.

When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. @@ -47,7 +47,7 @@ You can use this method | For this edition | For this kiosk account type You can use this method | For this edition | For this kiosk account type --- | --- | --- [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD -[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD @@ -68,7 +68,7 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X -[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 79b8628623..986da71577 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -28,7 +28,7 @@ For a more secure kiosk experience, we recommend that you make the following con Recommendation | How to --- | --- -Hide update notifications
(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as DWORD (32-bit) type:
`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. +Hide update notifications
(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as DWORD (32-bit) type:
`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled` Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen) diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index bc3b5d3544..93605b8aea 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -38,7 +38,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be - + diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index a4e515d653..aa66879976 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -89,7 +89,7 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) -- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For example, open PowerShell as an administrator and enter the following: +- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: ``` $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index b00555481d..4e9ee7e411 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 11/06/2018 +ms.date: 12/07/2018 author: greg-lindsay --- @@ -16,7 +16,6 @@ author: greg-lindsay **Applies to** - Windows 10 - ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. @@ -34,6 +33,12 @@ Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/20 ![Support lifecycle](images/support-cycle.png) +## Windows 10 servicing and support + +Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. + +![Support lifecycle](images/support-cycle.png) + ## Windows 10 Enterprise upgrade Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md). diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 0161bd05b1..826492af20 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -60,7 +60,7 @@ sections: Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
 

[Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

N/A[HORM](https://docs.microsoft.com/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)

HORM is supported in Windows 10, version 1607 and later.

- + diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index fdb462323c..51f0ecee10 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -42,7 +42,7 @@ Worried about your line of business apps not working in S mode? [Desktop Bridge] ## Repackage Win32 apps into the MSIX format -The [MSIX Packaging Tool](https:/docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode. +The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode. ## Related links diff --git a/windows/deployment/update/images/champs-2.png b/windows/deployment/update/images/champs-2.png new file mode 100644 index 0000000000..bb87469a35 Binary files /dev/null and b/windows/deployment/update/images/champs-2.png differ diff --git a/windows/deployment/update/images/champs.png b/windows/deployment/update/images/champs.png new file mode 100644 index 0000000000..ea719bc251 Binary files /dev/null and b/windows/deployment/update/images/champs.png differ diff --git a/windows/deployment/update/images/deploy-land.png b/windows/deployment/update/images/deploy-land.png new file mode 100644 index 0000000000..bf104b6843 Binary files /dev/null and b/windows/deployment/update/images/deploy-land.png differ diff --git a/windows/deployment/update/images/discover-land.png b/windows/deployment/update/images/discover-land.png new file mode 100644 index 0000000000..8f9e30ce10 Binary files /dev/null and b/windows/deployment/update/images/discover-land.png differ diff --git a/windows/deployment/update/images/ignite-land.jpg b/windows/deployment/update/images/ignite-land.jpg new file mode 100644 index 0000000000..7d0837af47 Binary files /dev/null and b/windows/deployment/update/images/ignite-land.jpg differ diff --git a/windows/deployment/update/images/plan-land.png b/windows/deployment/update/images/plan-land.png new file mode 100644 index 0000000000..7569da7ac1 Binary files /dev/null and b/windows/deployment/update/images/plan-land.png differ diff --git a/windows/deployment/update/images/video-snip.PNG b/windows/deployment/update/images/video-snip.PNG new file mode 100644 index 0000000000..35317ee027 Binary files /dev/null and b/windows/deployment/update/images/video-snip.PNG differ diff --git a/windows/deployment/update/waas-delivery-optimization-reference.txt b/windows/deployment/update/waas-delivery-optimization-reference.txt deleted file mode 100644 index 993295784a..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-reference.txt +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: Delivery Optimization reference -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 -keywords: oms, operations management suite, wdav, updates, downloads, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: JaimeO -ms.localizationpriority: medium -ms.author: jaimeo -ms.date: 10/23/2018 ---- - -# Delivery Optimization reference - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. - diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md deleted file mode 100644 index edb097e05a..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Set up Delivery Optimization -description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 -keywords: oms, operations management suite, wdav, updates, downloads, log analytics -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: JaimeO -ms.localizationpriority: medium -ms.author: jaimeo -ms.date: 10/23/2018 ---- - -# Set up Delivery Optimization for Windows 10 updates - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -## Plan to use Delivery Optimization - -general guidelines + “recommended policies” chart - - -## Implement Delivery Optimization -[procedural-type material; go here, click this] - -### Peer[?] topology (steps for setting up Group download mode) - - -### Hub and spoke topology (steps for setting up peer selection) - - -## Monitor Delivery Optimization -how to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? - -### Monitor w/ PS - -### Monitor w/ Update Compliance - diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index c43a9b860b..f82f1afa73 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -1,5 +1,5 @@ --- -title: Delivery Optimization for Windows 10 updates (Windows 10) +title: Configure Delivery Optimization for Windows 10 updates (Windows 10) description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10 keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 @@ -8,10 +8,10 @@ ms.sitesec: library author: JaimeO ms.localizationpriority: medium ms.author: jaimeo -ms.date: 10/23/2018 +ms.date: 04/30/2018 --- -# Delivery Optimization for Windows 10 updates +# Configure Delivery Optimization for Windows 10 updates **Applies to** @@ -20,14 +20,15 @@ ms.date: 10/23/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Delivery Optimization reduces the bandwidth needed to download Windows updates and applications by sharing the work of downloading these packages among multiple devices in your deployment. It does this by using a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. +Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager when installation of Express Updates is enabled. -You can use Delivery Optimization in conjunction with standalone Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or System Center Configuration Manager (when installation of Express Updates is enabled). +Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. -To take advantage of Delivery Optimization, you'll need the following: -- The devices being updated must have access to the internet. -- The devices must be running at least these minimum versions: +>[!NOTE] +>WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. + +The following table lists the minimum Windows 10 version that supports Delivery Optimization: | Device type | Minimum Windows version | |------------------|---------------| @@ -36,11 +37,10 @@ To take advantage of Delivery Optimization, you'll need the following: | IoT devices | 1803 | | HoloLens devices | 1803 | - In Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. These options are detailed in [Download mode](#download-mode). ->[!NOTE] ->WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. +By default in Windows 10 Enterprise and Education editions, Delivery Optimization allows peer-to-peer sharing on the organization's own network only, but you can configure it differently in Group Policy and mobile device management (MDM) solutions such as Microsoft Intune. +For more details, see [Download mode](#download-mode). ## Delivery Optimization options diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 04358b5b05..1c5817f29c 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/02/2018 +ms.date: 12/11/2018 ms.localizationpriority: high --- @@ -17,7 +17,7 @@ ms.localizationpriority: high Windows Analytics is fully committed to privacy, centering on these tenets: - **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). -- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics +- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics - **Security:** Your data is protected with strong security and encryption - **Trust:** Windows Analytics supports the Microsoft Online Service Terms @@ -39,8 +39,11 @@ See these topics for additional background information about related privacy iss - [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file) -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) +- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) +- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) +- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) - [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) - [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md new file mode 100644 index 0000000000..2864e9cf63 --- /dev/null +++ b/windows/deployment/update/windows-as-a-service.md @@ -0,0 +1,137 @@ +--- +title: Windows as a service +ms.prod: windows-10 +layout: LandingPage +ms.topic: landing-page +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 12/12/2018 +ms.localizationpriority: high +--- +# Windows as a service + +Find the tools and resources you need to help deploy and support Windows as a service in your organization. + +## Latest news, videos, & podcasts + +Find the latest and greatest news on Windows 10 deployment and servicing. + +**Windows 10 monthly updates** +> [!VIDEO https://www.youtube-nocookie.com/embed/BwB10v55WSk] + +Windows 10 is the most secure version of Windows yet. Learn what updates we release and when we release them, so you understand the efforts we take to keep your digital life safe and secure. + +The latest news: + + +[See more news](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog) + +## IT pro champs corner +Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. + + + + +**NEW** Understanding the differences between servicing Windows 10-era and legacy Windows operating systems + +NEW Express updates for Windows Server 2016 re-enabled for November 2018 update + + +2019 SHA-2 Code Signing Support requirement for Windows and WSUS + +Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices + +## Discover + +Learn more about Windows as a service and its value to your organization. + + + +Overview of Windows as a service + +Quick guide to Windows as a service + +Windows Analytics overview + +What's new in Windows 10 deployment + +How Microsoft IT deploys Windows 10 + +## Plan + +Prepare to implement Windows as a service effectively using the right tools, products, and strategies. + + + +Simplified updates + +Windows 10 end user readiness + +Ready for Windows + +Manage Windows upgrades with Upgrade Readiness + +Preparing your organization for a seamless Windows 10 deployment + +## Deploy + +Secure your organization's deployment investment. + + + +Update Windows 10 in the enterprise + +Deploying as an in-place upgrade + +Configure Windows Update for Business + +Express update delivery + +Windows 10 deployment considerations + + +## Microsoft Ignite 2018 + + +Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. + +[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) + +[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) + +[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) + +[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) + +[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) + +[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) + +[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) + +[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) + +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) \ No newline at end of file diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 4c558115d6..0f5c91d457 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -164,12 +164,12 @@ Users may see that Windows 10 is consuming all the bandwidth in the different of The following group policies can help mitigate this: -[Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) -[Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) -[Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) Other components that reach out to the internet: -- Windows Spotlight. [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) -- [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) -- Modern App- Windows Update installation fails. [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) \ No newline at end of file +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index e295b3fa32..5c83f04180 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo -ms.date: 10/29/2018 +ms.date: 12/12/2018 --- # Upgrade Readiness deployment script @@ -83,232 +83,69 @@ To run the Upgrade Readiness deployment script: The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. -
-
TopicDescription
[Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) This topic provides information about support for upgrading directly to Windows 10 from a previous operating system.
[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
[Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exit code and meaningSuggested fix
0 - SuccessN/A
1 - Unexpected error occurred while executing the script. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.
2 - Error when logging to console. $logMode = 0.
(console only)		Try changing the $logMode value to **1** and try again.
$logMode value 1 logs to both console and file.
3 - Error when logging to console and file. $logMode = 1.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
4 - Error when logging to file. $logMode = 2.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
5 - Error when logging to console and file. $logMode = unknown.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
6 - The commercialID parameter is set to unknown.
Modify the runConfig.bat file to set the CommercialID value.		The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. -
See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection** -
Verify that the context under which the script in running has access to the registry key.
9 - The script failed to write Commercial Id to registry. -
Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection** - 		Verify that the context under which the script in running has access to the registry key.
10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**Verify that the deployment script is running in a context that has access to the registry key.
11 - Function **SetupCommercialId** failed with an unexpected exception.The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**
Verify that the configuration script has access to this location.
12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings.**Http Get** on the end points did not return a success exit code.
- For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
- For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. -
If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) -
13 - Can’t connect to Microsoft - setting. An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. -14
14 - Can’t connect to Microsoft - compatexchange.An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md).
15 - Function CheckVortexConnectivity failed with an unexpected exception.This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.
16 - The computer requires a reboot before running the script.A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
17 - Function **CheckRebootRequired** failed with an unexpected exception.A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
18 - Appraiser KBs not installed or **appraiser.dll** not found.Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT -\CurrentVersion\AppCompatFlags\Appraiser** The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.Check the logs for the exception message and HResult.
22 - **RunAppraiser** failed with unexpected exception.Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
23 - Error finding system variable **%WINDIR%**.Verify that this environment variable is configured on the computer.
24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
25 - The function **SetIEDataOptIn** failed with unexpected exception.Check the logs for the exception message and HResult.
27 - The script is not running under **System** account.The Upgrade Readiness configuration script must be run as **System**.
28 - Could not create log file at the specified **logPath**. Make sure the deployment script has access to the location specified in the **logPath** parameter.
29 - Connectivity check failed for proxy authentication. Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. -
The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. -
For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). -
For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).
30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. -
For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). -
For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
32 - Appraiser version on the machine is outdated. The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1.
33 - **CompatTelRunner.exe** exited with an exit code **CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.
34 - Function **CheckProxySettings** failed with an unexpected exception. Check the logs for the exception message and HResult.>
35 - Function **CheckAuthProxy** failed with an unexpected exception.Check the logs for the exception message and HResult.
36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.Check the logs for the exception message and HResult.
37 - **Diagnose_internal.cmd** failed with an unexpected exception.Check the logs for the exception message and HResult.
38 - Function **Get-SqmID** failed with an unexpected exception. Check the logs for the exception message and HResult.
39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection** - or **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. Check the logs for the exception message and HResult.
41 - The script failed to impersonate the currently logged on user. The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. Check the logs for the exception message and HResult.
43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.Check the logs for the exception message and HResult.
44 - Diagtrack.dll version is old, so Auth Proxy will not work.Update the PC using Windows Update/Windows Server Update Services.
45 - Diagrack.dll was not found.Update the PC using Windows Update/Windows Server Update Services.
48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
50 - Diagtrack Service is not running.Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service.
51 - RunCensus failed with an unexpected exception.RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details.
52 - DeviceCensus.exe not found on a Windows 10 machine.On computers running Windows 10, the process devicecensus.exe should be present in the \system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location.
53 - There is a different CommercialID present at the GPO path:  **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**. This will take precedence over the CommercialID provided in the script.Provide the correct CommercialID at the GPO location.
- +| Exit code | Suggested fix | +|-----------|--------------| +| 0 - Success | N/A | +| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. | +| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. | +| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. | +| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. | +| 9 - The script failed to write Commercial Id to registry. +Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. | +| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. | +| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. | +| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) | +| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. | +| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). | +| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. | +| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. | +| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. | +|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. | +| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. | +| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. | +| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. | +| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. | +| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. | +| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. | +| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. | +| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. | +| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). | +| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). | +| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. | +| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. | +| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. | +| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. | +| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). | +| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. | +| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. | +| 45 - Diagrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. | +| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. | +| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. | +| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. | +| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. | +| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. | +| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client. | +| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. | +| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.| +| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. | +| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. | +| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. | +| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. | +| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. | + + + >[!NOTE] diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index e64be6f39d..80c66dec36 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -7,18 +7,29 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: greg-lindsay -ms.date: 04/19/2017 +ms.date: 12/07/2018 --- -# Active Directory-Based Activation Overview +# Active Directory-Based Activation overview Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. -## Active Directory-Based Activation Scenarios +## ADBA scenarios -VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following: -- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name. -- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. +You might use ADBA if you only want to activate domain joined devices. + +If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. + +ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. + +Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. + + +## ADBA methods + +VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: +- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. +- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. ## Related topics diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index e16013f4db..dd630b65e0 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -1,16 +1,15 @@ # [Windows Autopilot](windows-autopilot.md) ## [Requirements](windows-autopilot-requirements.md) ### [Configuration requirements](windows-autopilot-requirements-configuration.md) +#### [Intune Connector (preview)](intune-connector.md) ### [Network requirements](windows-autopilot-requirements-network.md) ### [Licensing requirements](windows-autopilot-requirements-licensing.md) -### [Intune Connector (preview)](intune-connector.md) ## [Scenarios and Capabilities](windows-autopilot-scenarios.md) ### [Support for existing devices](existing-devices.md) ### [User-driven mode](user-driven.md) #### [Azure Active Directory joined](user-driven-aad.md) #### [Hybrid Azure Active Directory joined](user-driven-hybrid.md) ### [Self-deploying mode](self-deploying.md) -### [Enrollment status page](enrollment-status.md) ### [Windows Autopilot Reset](windows-autopilot-reset.md) #### [Remote reset](windows-autopilot-reset-remote.md) #### [Local reset](windows-autopilot-reset-local.md) @@ -18,6 +17,7 @@ ### [Configuring](configure-autopilot.md) #### [Adding devices](add-devices.md) #### [Creating profiles](profiles.md) +#### [Enrollment status page](enrollment-status.md) ### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) ### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 1bc77cb9db..a10eb72607 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 12/12/2018 --- # Adding devices to Windows Autopilot @@ -20,6 +20,20 @@ ms.date: 10/02/2018 Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. +## Manual registration + +To perform manual registration of a device, you must caputure its hardware ID (also known as a hardware hash) and upload this to the Windows Autopilot deployment service. See the topics below for detailed information on how to collect and upload hardware IDs. + +>[!IMPORTANT] +>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
+>After Intune reports the profile ready to go, only then should the device be connected to the Internet. + +Also note that if OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries: + +**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE** + +To ensure OOBE has not been restarted too many times, you can change this value to 1. + ## Device identification To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. @@ -32,28 +46,26 @@ Note that the hardware hash also contains details about when it was generated, s The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). -To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used: +To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: -*md c:\\HWID* +```powershell +md c:\\HWID +Set-Location c:\\HWID +Set-ExecutionPolicy Unrestricted +Install-Script -Name Get-WindowsAutoPilotInfo +Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv +``` -*Set-Location c:\\HWID* - -*Set-ExecutionPolicy Unrestricted* - -*Install-Script -Name Get-WindowsAutoPilotInfo* - -*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv* - -You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information. +The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. >[!NOTE] ->With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe). +>If you will connect to the device remotely to collect the hardware ID, see the information at the top of this page about device connectivity to the Internet. ## Collecting the hardware ID from existing devices using System Center Configuration Manager Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. -## Uploading hardware IDs +## Registering devices Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism: diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md index 7444e0b565..1913e60393 100644 --- a/windows/deployment/windows-autopilot/configure-autopilot.md +++ b/windows/deployment/windows-autopilot/configure-autopilot.md @@ -26,7 +26,10 @@ When deploying new devices using Windows Autopilot, a common set of steps are re 2. [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented. -3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience. +3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. +## Related topics + +[Windows Autopilot scenarios](windows-autopilot-scenarios.md) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index b3432a245a..e5f113b83c 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -10,7 +10,7 @@ ms.pagetype: deploy ms.localizationpriority: medium author: greg-lindsay ms.author: greg-lindsay -ms.date: 11/01/2018 +ms.date: 12/13/2018 --- # Windows Autopilot Enrollment Status page @@ -33,6 +33,7 @@ The Windows Autopilot Enrollment Status page displaying the status of the comple Show error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered. Show custom message when an error occursA text box is provided where you can specify a custom message to display in case of an installation error.The default message is displayed:
Oh no! Something didn't do what it was supposed to. Please contact your IT department. Allow users to collect logs about installation errorsIf there is an installation error, a Collect logs button is displayed.
If the user clicks this button they are asked to choose a location to save the log file MDMDiagReport.cabThe Collect logs button is not displayed if there is an installation error. +Block device use until these required apps are installed if they are assigned to the user/deviceChoose All or Selected.

If Selected is chosen, a Select apps button is displayed that enables you to choose which apps must be installed prior to enabling device use. See the following example: @@ -48,13 +49,20 @@ The Enrollment Status page tracks a subset of the available MDM CSP policies tha - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp). - Certain device configuration policies. -Presently the following types of policies are not tracked: +The following types of policies and installations are not tracked: -- Intune Management Extensions PowerShell scripts. -- Office 365 ProPlus installations. -- System Center Configuration Manager apps, packages, and task sequences. +- Intune Management Extensions PowerShell scripts +- Office 365 ProPlus installations** +- System Center Configuration Manager apps, packages, and task sequences -## For more information +**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
+ +## More information + +For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
+For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+For more information about blocking for app installation: +- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). -For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status). For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp). diff --git a/windows/deployment/windows-autopilot/images/esp-settings.png b/windows/deployment/windows-autopilot/images/esp-settings.png index 0153ba58f9..df0fe655e9 100644 Binary files a/windows/deployment/windows-autopilot/images/esp-settings.png and b/windows/deployment/windows-autopilot/images/esp-settings.png differ diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 26e9395e49..dd9f40aa1a 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 12/13/2018 --- # Configure Autopilot profiles @@ -18,7 +18,29 @@ ms.date: 10/02/2018 - Windows 10 -For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available: +For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices). + +## Profile download + +When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. + +When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. + +| Windows 10 version | Profile download behavior | +| --- | --- | +| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. | +| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | +| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | + +If you need to reboot a computer during OOBE: +- Press Shift-F10 to open a command prompt. +- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options). + +## Profile settings + +The following profile settings are available: - **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. @@ -33,3 +55,7 @@ For each device that has been defined to the Windows Autopilot deployment servic - **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. - **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md deleted file mode 100644 index 6b988faa67..0000000000 --- a/windows/deployment/windows-autopilot/windows-10-autopilot.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: Overview of Windows Autopilot -description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/02/2018 ---- - -# Overview of Windows Autopilot - -**Applies to** - -- Windows 10 - -Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
-This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. - -The following video shows the process of setting up Autopilot: - -
- - -## Benefits of Windows Autopilot - -Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach. - -From the users' perspective, it only takes a few simple operations to make their device ready to use. - -From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. - -## Windows Autopilot Scenarios - -### Cloud-Driven - -The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. - -#### The Windows Autopilot Deployment Program experience - -The Windows Autopilot Deployment Program enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -##### Prerequisites - ->[!NOTE] ->Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -* [Devices must be registered to the organization](#device-registration-and-oobe-customization) -* [Company branding needs to be configured](#configure-company-branding-for-oobe) -* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) -* Microsoft Intune or other MDM services to manage your devices - -The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. - -
- - -#### Device registration and OOBE customization - -To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. - -Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*starting with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: -* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) - -##### Configure company branding for OOBE - -In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. - -See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. - -##### Configure MDM auto-enrollment in Microsoft Intune - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -#### Network connectivity requirements - -The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. - -To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: - -* https://go.microsoft.com -* https://login.microsoftonline.com -* https://login.live.com -* https://account.live.com -* https://signup.live.com -* https://licensing.mp.microsoft.com -* https://licensing.md.mp.microsoft.com -* ctldl.windowsupdate.com -* download.windowsupdate.com - ->[!NOTE] ->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. - ->[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). - -### IT-Driven - -If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - - -### Self-Deploying - -Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying). - - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. - diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 3b1ede0e05..e2dc975086 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 12/13/2018 --- # Windows Autopilot requirements @@ -18,6 +18,14 @@ ms.date: 10/02/2018 Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met: -- [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met. -- [Networking requirements](windows-autopilot-requirements-network.md) need to be met. -- [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed. \ No newline at end of file +See the following topics for details on licensing, network, and configuration requirements: +- [Licensing requirements](windows-autopilot-requirements-licensing.md) +- [Networking requirements](windows-autopilot-requirements-network.md) +- [Configuration requirements](windows-autopilot-requirements-configuration.md) + - For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector. + +There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index 9db8678ee2..8dc1b58886 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 12/13/2018 --- # Windows Autopilot scenarios @@ -20,7 +20,11 @@ Windows Autopilot includes support for a growing list of scenarios, designed to For details about these scenarios, see these additional topics: -- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person. -- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. -- [Windows Autopilot Reset](windows-autopilot-reset.md), +- [Windows Autopilot for existing devices](existing-devices.md), to deploy Windows 10 on an existing Windows 7 or 8.1 device. +- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person. +- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. +- [Windows Autopilot Reset](windows-autopilot-reset.md), to re-deploy a device in a business-ready state. +## Related topics + +[Windows Autopilot Enrollment Status page](enrollment-status.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 37f8070dad..df329861e8 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -1,10 +1,10 @@ --- title: Overview of Windows Autopilot description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay @@ -14,7 +14,12 @@ ms.date: 10/02/2018 # Overview of Windows Autopilot -**Applies to: Windows 10** +**Applies to** + +- Windows 10 + +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
+This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. @@ -24,3 +29,126 @@ When initially deploying new Windows devices, Windows Autopilot leverages the OE Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. +## Windows Autopilot walkthrough + +The following video shows the process of setting up Windows Autopilot: + +
+ + +## Benefits of Windows Autopilot + +Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach. + +From the users' perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. + +## Windows Autopilot Scenarios + +### Cloud-Driven + +The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. + +#### The Windows Autopilot Deployment Program experience + +The Windows Autopilot Deployment Program enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) +* Restrict the Administrator account creation +* Create and auto-assign devices to configuration groups based on a device's profile +* Customize OOBE content specific to the organization + +##### Prerequisites + +>[!NOTE] +>Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. + +* [Devices must be registered to the organization](#device-registration-and-oobe-customization) +* [Company branding needs to be configured](#configure-company-branding-for-oobe) +* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) +* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later +* Devices must have access to the internet +* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) +* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) +* Microsoft Intune or other MDM services to manage your devices + +The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: +* Select a language and keyboard layout +* Connect to the network +* Provide email address (the email address of the user's Azure AD account) and password + +Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). + +MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. + +
+ + +#### Device registration and OOBE customization + +To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. + +If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. + +Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: +* Skipping Work or Home usage selection (*Automatic*) +* Skipping OEM registration, OneDrive and Cortana (*Automatic*) +* Skipping privacy settings +* Skipping EULA (*starting with Windows 10, version 1709*) +* Preventing the account used to set-up the device from getting local administrator permissions + +For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: +* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) +* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) +* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) + +##### Configure company branding for OOBE + +In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. + +See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. + +##### Configure MDM auto-enrollment in Microsoft Intune + +In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. + +>[!NOTE] +>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. + +#### Network connectivity requirements + +The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. + +To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: + +* https://go.microsoft.com +* https://login.microsoftonline.com +* https://login.live.com +* https://account.live.com +* https://signup.live.com +* https://licensing.mp.microsoft.com +* https://licensing.md.mp.microsoft.com +* ctldl.windowsupdate.com +* download.windowsupdate.com + +>[!NOTE] +>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. + +>[!TIP] +>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). + +### IT-Driven + +If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + + +### Self-Deploying + +Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying). + + +### Teacher-Driven + +If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. + diff --git a/windows/docfx.json b/windows/docfx.json index f1253f1567..9ac35033eb 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md index 6a6cc2230e..1883594880 100644 --- a/windows/hub/TOC.md +++ b/windows/hub/TOC.md @@ -1,5 +1,6 @@ # [Windows 10 and Windows 10 Mobile](index.md) ## [What's new](/windows/whats-new) +## [Release information](release-information.md) ## [Deployment](/windows/deployment) ## [Configuration](/windows/configuration) ## [Client management](/windows/client-management) diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 781df2941e..d62fafe3c4 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -38,7 +38,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "brianlic", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/hub/release-information.md b/windows/hub/release-information.md new file mode 100644 index 0000000000..89d0606cfe --- /dev/null +++ b/windows/hub/release-information.md @@ -0,0 +1,37 @@ +--- +title: Windows 10 - release information +description: Learn release information for Windows 10 releases +keywords: ["Windows 10", "Windows 10 October 2018 Update"] +ms.prod: w10 +layout: LandingPage +ms.topic: landing-page +ms.mktglfcycl: deploy +ms.sitesec: library +author: lizap +ms.author: elizapo +ms.localizationpriority: high +--- +# Windows 10 - Release information + +>[!IMPORTANT] +> The URL for the release information page has changed - update your bookmark! + +Microsoft has updated its servicing model. The Semi-Annual Channel (SAC) offers twice-per-year feature updates that release around March and September, with an 18-month servicing period for each release. Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date (more information can be found [here](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)). + +If you are not using Windows Update for Business today, “Semi-Annual Channel (Targeted)” (SAC-T) has no impact on your devices (more information can be found [here](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747)), and we recommend you begin deployment of each Semi-Annual Channel release right away to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. + +If you are using Windows Update for Business today, refer to the table below to understand when your device will be updated, based on which deferral period you have configured, SAC -T or SAC. + +**Notice: November 13, 2018:** All editions of Windows 10 October 2018 Update, version 1809, for Windows client and server have resumed. Customers currently running Windows 10, version 1809, will receive build 17763.134 as part of our regularly scheduled Update Tuesday servicing in November. If you update to the Window 10, version 1809, feature update you will receive build 17763.107. On the next automatic scan for updates, you’ll be taken to the latest cumulative update (build 17763.134 or higher). + +November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel ("Targeted") and Long-Term Servicing Channel (LTSC) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809. + +For information about the re-release and updates to the support lifecycle, refer to [John Cable's blog](https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/), [Windows 10 Update History](https://support.microsoft.com/help/4464619), and the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853). + +
+
+ + +
+ + diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md new file mode 100644 index 0000000000..c7c10965fd --- /dev/null +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -0,0 +1,197 @@ +--- +title: Diagnostic Data Viewer for PowerShell Overview (Windows 10) +description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device. +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: brianlic-msft +ms.author: brianlic +ms.date: 01/17/2018 +--- + +# Diagnostic Data Viewer for PowerShell Overview + +**Applies to** + +- Windows 10, version 1809 +- Windows 10, version 1803 +- Windows Server, version 1803 +- Windows Server 2019 + +## Introduction +The Diagnostic Data Viewer for PowerShell is a PowerShell module that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. + +## Requirements + +You must have administrative privilege on the device in order to use this PowerShell module. This module requires OS version 1803 and higher. + +## Install and Use the Diagnostic Data Viewer for PowerShell + +You must install the module before you can use the Diagnostic Data Viewer for PowerShell. + +### Install the Diagnostic Data Viewer for PowerShell + + >[!IMPORTANT] + >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. + +To install the newest version of the Diagnostic Data Viewer PowerShell module: +1. From an elevated Command Prompt, start a PowerShell session by running `C:\> powershell.exe`. +2. Install the module by name +```powershell +PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer +``` + +To see more information about the module, visit [PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer). + +### Turn on data viewing +Before you can use this tool, you must turn on data viewing. Turning on data viewing enables Windows to store a local history of your device's diagnostic data for you to view until you turn it off. + +Note that this setting does not control whether your device sends diagnostic data. Instead, it controls whether your Windows device saves a local copy of the diagnostic data sent for your viewing. + +**To turn on data viewing through the Settings page** +1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + +2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn on data viewing](images/ddv-data-viewing.png) + +**To turn on data viewing through PowerShell** + +1. Install the Diagnostic Data Viewer for PowerShell module. +2. Run the Command prompt **as administrator**. +3. Start a PowerShell session by running `C:\> powershell.exe`. +4. Run the following commands in the PowerShell session: + +```powershell +PS C:\> Enable-DiagnosticDataViewing +``` + +Once data viewing is enabled, your Windows machine will begin saving a history of diagnostic data that is sent to Microsoft from this point on. + + >[!IMPORTANT] + >Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. + +### Start the Diagnostic Data Viewer +You must start this app from the **Settings** panel. + +**To start the Diagnostic Data Viewer** +1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + +2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. + + ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

-OR-

+ + Go to **Start** and search for _Diagnostic Data Viewer_. + +3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. + + >[!IMPORTANT] + >Turning on data viewing can use up to 1GB of disk space on your system drive. We strongly recommend that your turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. + +### Getting Started with Diagnostic Data Viewer for PowerShell +To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: + +```powershell +PS C:\> Get-Help Get-DiagnosticData +``` + +**To Start Viewing Diagnostic Data** + +From an elevated PowerShell session, run the following command: + +```powershell +PS C:\> Get-DiagnosticData +``` + +If the number of events is large, and you'd like to stop the command, enter `Ctrl+C`. + + >[!IMPORTANT] + >The above command may produce little to no results if you enabled data viewing recently. It can take several minutes before your Windows device can show diagnostic data it has sent. Use your device as you normally would in the mean time and try again. + +### Doing more with the Diagnostic Data Viewer for PowerShell +The Diagnostic Data Viewer for PowerShell provides you with the following features to view and filter your device's diagnostic data. You can also use the extensive suite of other PowerShell tools with this module. + +- **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. + + Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system. + +- **View Diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data). + + To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command: + + ```powershell + PS C:\> Get-DiagnosticDataTypes + ``` + +- **Filter events by when they were sent.** You can view events within specified time ranges by specifying a start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6 hours ago, run the following command. Note that data is shown in order of oldest first. + ```powershell + PS C:\> Get-DiagnosticData -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(-6) + ``` + +- **Export the results of each command.** You can export the results of each command to a separate file such as a csv by using pipe `|`. For example, + + ```powershell + PS C:\> Get-DiagnosticData | Export-Csv 'mydata.csv' + ``` + +## Turn off data viewing +When you're done reviewing your diagnostic data, we recommend turning off data viewing to prevent using up more memory. Turning off data viewing stops Windows from saving a history of your diagnostic data and clears the existing history of diagnostic data from your device. + +**To turn off data viewing through the Settings page** +1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + +2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn off data viewing](images/ddv-settings-off.png) + +**To turn off data viewing through PowerShell** + +1. Run the Command prompt **as administrator**. +2. Start a PowerShell session by running `C:\> powershell.exe`. +3. Run the following commands in the PowerShell session: + +```powershell +PS C:\> Disable-DiagnosticDataViewing +``` + +## Modifying the size of your data history +By default, the tool will show you up to 1GB or 30 days of data (whichever comes first). Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. + +**Modify the size of your data history** + + >[!IMPORTANT] + >Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. + +You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum data history size to 2048MB (2GB), you can run the following command. + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Size 2048 +``` + +You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data history time to 24 hours, you can run the following command. + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Time 24 +``` + + >[!IMPORTANT] + >You may need to restart your machine for the new settings to take effect. + + >[!IMPORTANT] + >If you have the [Diagnostic Data Viewer](diagnostic-data-viewer-overview.md) store app installed on the same device, modifications to the size of your data history through the PowerShell module will also be reflected in the app. + +**Reset the size of your data history** + +To reset the maximum data history size back to its original 1GB default value, run the following command in an elevated PowerShell session: + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Size 1024 -Time 720 +``` + + +## Related Links +- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) +- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps) \ No newline at end of file diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 5a0db3b73e..d581476641 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -3,7 +3,9 @@ ## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) -## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +## Diagnostic Data Viewer +### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) ## Basic level Windows diagnostic data events and fields ### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) ### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 22aa33e4b3..01f681caf7 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/13/2018 --- @@ -61,15 +61,15 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device. -- **InventorySystemBios** The total InventorySystemBios objects that are present on this device. -- **PCFP** An ID for the system that is calculated by hashing hardware identifiers. -- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device. -- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device. -- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device. -- **SystemWim** The total SystemWim objects that are present on this device -- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device. -- **SystemWlan** The total SystemWlan objects that are present on this device. +- **InventoryLanguagePack** The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows +- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows +- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows +- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows +- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows +- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows +- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows +- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows +- **SystemWlan** The count of InventoryApplicationFile objects present on this machine. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. @@ -335,7 +335,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -671,7 +671,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1757,8 +1757,107 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Content Delivery Manager events + +### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent + +This event sends tracking data about the reliability of interactions with Windows spotlight content, to help keep Windows up to date. + +The following fields are available: + +- **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp. +- **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to. +- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.. +- **placementId** Name of surface, such as LockScreen or Start. + + +### Microsoft.Windows.ContentDeliveryManager.ReportPlacementHealth + +This event sends aggregated client health data, summarizing information about the state of offers on a device, to help keep Windows up to date. + +The following fields are available: + +- **dataVersion** Schema version of the event that is used to determine what serialized content is available for placementReportedInfo and trackingInfo fields. +- **healthResult** A code that identifies user account health status as Unknown, Healthy, Unhealthy. +- **healthStateFlags** A code that represents a set of flags used to group devices in a health/unhealthy way. For example, Unhealthy, Healthy, RefreshNotScheduled, EmptyResponse, RenderedDefault, RenderFailure, RenderDelayed, and CacheEmpty. +- **placementHealthId** A code that represents which surface's health is being reported. For example, Default, LockScreen, LockScreenOverlay, StartMenu, SoftLanding, DefaultStartLayout1, DefaultStartLayout2, OemPreInstalledApps, FeatureManagement, SilentInstalledApps, NotificationChannel, SuggestedPenAppsSubscribedContent, TestAppSubscribedContent, OneDriveSyncNamespaceSubscribedContent, OneDriveLocalNamespaceSubscribedContent, OneDriveSyncNamespaceInternalSubscribedContent, and OneDriveLocalNamespaceInternalSubscribedContent. +- **placementReportedInfo** Serialized information that contains domain-specific health information written by each surface, such as lastUpportunityTime, lastOpportunityReportedTime, expectedExpirationTime, and rotationPeriod. +- **trackingInfo** Serialized information that contains domain-specific health information written by the content delivery manager, such as lastRefreshTime, nextRefreshTime, nextUpdateTime,renderPriorToLastOpportunityTime, lastRenderTime, lastImpressionTime, lastRulesRegistrationTime, registrationTime, lastRefreshBatchCount, lastEligibleCreativeCount, availableAppSlotCount, placeholderAppSlotCount, lastRenderSuccess, lastRenderDefault, isEnabled. + + +### Microsoft.Windows.ContentDeliveryManager.ReportPlacementState + +This event sends data about the opt-out state of a device or user that uses Windows spotlight, to help keep Windows up to date. + +The following fields are available: + +- **isEnabled** Indicates if the surface is enable to receive offers. +- **lastImpressionTime** The time when the last offer was seen. +- **lastRenderedCreativeId** ID of the last offer rendered by the surface. +- **lastRenderedTime** The time that the last offer was rendered. +- **nextRotationTime** The time in which the next offer will be rendered. +- **placementName** Name of surface, such as LockScreen or Start. +- **placementStateReportFlags** Flags that represent if the surface is capable of receiving offers, such as off by edition, off by Group Policy, off by user choice. +- **selectedPlacementId** ID of the surface/ring/markey combination, such as Lock-Internal-en-US. + + ## Diagnostic data events +### TelClientSynthetic.AbnormalShutdown_0 + +This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. + +The following fields are available: + +- **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed. +- **CrashDumpEnabled** OS configuration of the type of crash dump enabled; 0 = not enabled +- **CumulativeCrashCount** Cumulative count of OS crashes since the BootId reset +- **CurrentBootId** Retrieves the current boot ID. +- **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware. +- **FirmwareResetReasonPch** Hardware-supplied reason for the reset. +- **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware. +- **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason. +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType +- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. +- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **LastBugCheckBootId** "bootId of the captured Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the rest of the information""""ootId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does not correlate with the """"otId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check info in the event does n""""tId of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or the Last Bug Check inf""""Id of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId for analysis or th""""d of the captured ""Last Bug Check""; important to match AbnormalShutdownBootId"""" of the captured ""Last Bug Check""; important to match Abno""""of the captured ""Last Bug Check""; import""""f the captured ""Last Bu"""" the ca""" +- **LastBugCheckCode** Bug Check code indicating the type of error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) +- **LastBugCheckContextFlags** Additional crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) +- **LastBugCheckOriginalDumpType** Type of crashdump the system intended to save; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) +- **LastBugCheckOtherSettings** Other crashdump settings; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) +- **LastBugCheckParameter1** First Bug Check parameter with additional info on the type of the error; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled > 0) +- **LastBugCheckProgress** Progress towards writing out the last crashdump; non-zero value indicates an attempt; LastBugCheck data is only available on UEFI-enabled systems (as indicated by FirmwareTypeId == 2) because it is saved in an EFI variable; LastBugCheck data is only available if crashdumping is enabled (as indicated by CrashDumpEnabled .> 0) +- **LastSuccessfullyShutdownBootId** Retrieves the last successfully/cleanly shutdown boot ID. +- **PowerButtonCumulativePressCount** "Number of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been pressed ("pressed" not to be confused wit""mber of times the Power Button """umber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonLastPressBootId""umber of times the Power Button was detected to have been ""mber of times the Power Button was detected to have been pressed (pressed" not to be confused with "released") for the BootId specified in PowerButtonL""ber of times the Power Button was detected to have been pressed (pressed" not""er o" +- **PowerButtonCumulativeReleaseCount** "Number of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been released ("released" not to be confused wit""mber of times the Power Button w"""umber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLastReleaseBootId""umber of times the Power Button was detected to have been r""mber of times the Power Button was detected to have been released (released" not to be confused with "pressed") for the BootId specified in PowerButtonLa""ber of times the Power Button was detected to have been released (released" n""er" +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g. due to a failure to lock/update the bootstat file) +- **PowerButtonLastPressBootId** "BootId of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been pressed (pressed"""" +- **PowerButtonLastPressTime** "Date/time of the last time the Power Button was detected to have been pressed (pressed" not to be confused with "released")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been pressed (press" +- **PowerButtonLastReleaseBootId** "BootId of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ootId of the last time the Power Button was """ootId of the last time the Power Button was detected to have been released (releas" +- **PowerButtonLastReleaseTime** "Date/time of the last time the Power Button was detected to have been released (released" not to be confused with "pressed")""ate/time of the last time the Power Button w"""ate/time of the last time the Power Button was detected to have been released (rel" +- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed +- **PowerButtonPressLastPowerWatchdogStage** Progress while monitor/display is being turned on; ranges from 0 (no progress) to 0x50 (completion); if PowerButtonPressPowerWatchdogArmed == TRUE (armed), the value represents the current stage whereas if PowerButtonPressPowerWatchdogArmed == FALSE (not armed),the value represents the last completed stage at the time of the last Power Button press, +- **PowerButtonPressPowerWatchdogArmed** Inidicates whether or not the watchdog for the monitor/display was active at the time of the last Power Button press +- **TransitionInfoBootId** "BootId of the captured Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the rest of the information""""ootId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does not correlate with the """"otId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Info in the event does n""""tId of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis or the Transition Inf""""Id of the captured ""Transition Info""; important to match AbnormalShutdownBootId for analysis o""""d of the captured ""Transition Info""; important to match AbnormalShutdownBo"""" of the captured ""Transition Info""; important to match """"of the captured ""Transition Info""; im""""f the captured ""Tran"""" the""" +- **TransitionInfoCSCount** "Total number of times the system transitioned from Connected Standby mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Connected Standby mode to on" at""tal" +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode +- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode +- **TransitionInfoCSInProgress** At the time the last marker was saved,the system was in or entering Connected Standby mode +- **TransitionInfoLastReferenceTimeChecksum** Checksum of TransitionInfoLastReferenceTimestamp +- **TransitionInfoLastReferenceTimestamp** Date/time the marker was last saved +- **TransitionInfoPowerButtonTimestamp** Date/time of the last time the Power Button was detected to have been pressed (collected via a different mechanism than PowerButtonLastPressTime) +- **TransitionInfoSleepInProgress** At the time the last marker was saved,the system was in or entering Sleep mode +- **TransitionInfoSleepTranstionsToOn** "Total number of times the system transitioned from Sleep mode to on" at the time the last marker was saved""otal number of times the system transitio"""otal number of times the system transitioned from Sleep mode to on" at the time th""tal number of t" +- **TransitionInfoSystemRunning** At the time the last marker was saved,the system was running +- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. +- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. +- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. +- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. +- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. + + ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -1856,6 +1955,24 @@ The following fields are available: - **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex. +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + + + +### TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate + +This event is triggered when UTC determines it needs to send information about personalization settings of the user. + + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -2571,6 +2688,31 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +### Microsoft.Windows.Kernel.Power.OSStateChange + +This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to help monitor reliability and performance of managed devices. + +The following fields are available: + +- **AcPowerOnline** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power. +- **ActualTransitions** This will give the actual transitions number +- **BatteryCapacity** Maximum battery capacity in mWh +- **BatteryCharge** Current battery charge as a percentage of total capacity +- **BatteryDischarging** Flag indicating whether the battery is discharging or charging +- **BootId** Monotonically increasing boot id, reset on upgrades. +- **BootTimeUTC** Boot time in UTC  file time. +- **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot. +- **LastStateTransition** The previous state transition on the device. +- **LastStateTransitionSub** The previous state subtransition on the device. +- **StateDurationMS** Milliseconds spent in the state being departed +- **StateTransition** Transition type PowerOn=1, Shutdown, Suspend, Resume, Heartbeat. +- **StateTransitionSub** Subtransition type Normal=1, Reboot, Hiberboot, Standby, Hibernate, ConnectedStandby, Reserved, HybridSleep. +- **TotalDurationMS** Total time device has been up in milliseconds in wall clock time. +- **TotalUptimeMS** Total time device has been on (not in a suspended state) in milliseconds. +- **TransitionsToOn** TransitionsToOn increments each time the system successfully completes a system sleep event, and is sent as part of the PowerTransitionEnd ETW event. +- **UptimeDeltaMS** Duration in last state in milliseconds. + + ## OneDrive events ### Microsoft.OneDrive.Sync.Setup.APIOperation @@ -2627,43 +2769,6 @@ The following fields are available: - **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. -### Microsoft.OneDrive.Sync.Setup.SetupCommonData - -This event contains basic OneDrive configuration data that helps to diagnose failures. - -The following fields are available: - -- **AppVersion** The version of the app. -- **BuildArchitecture** Is the architecture x86 or x64? -- **Environment** Is the device on the production or int service? -- **MachineGuid** The CEIP machine ID. -- **Market** Which market is this in? -- **MSFTInternal** Is this an internal Microsoft device? -- **OfficeVersionString** The version of Office that is installed. -- **OSDeviceName** Only if the device is internal to Microsoft, the device name. -- **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** The CEIP user ID. - - -### Microsoft.OneDrive.Sync.Updater.CommonData - -This event contains basic OneDrive configuration data that helps to diagnose failures. - -The following fields are available: - -- **AppVersion** The version of the app. -- **BuildArch** Is the architecture x86 or x64? -- **Environment** Is the device on the production or int service? -- **IsMSFTInternal** TRUE if the device is an internal Microsoft device. -- **MachineGuid** The GUID (Globally Unique ID) that identifies the machine for the CEIP (Customer Experience Improvement Program). -- **Market** Which market is this in? -- **OfficeVersion** The version of Office that is installed. -- **OneDriveDeviceId** The OneDrive device ID. -- **OSDeviceName** Only if the device is internal to Microsoft, the device name. -- **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** The GUID (Globally Unique ID) of the user currently logged in. - - ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState This event includes basic data about the installation state of dependent OneDrive components. @@ -2750,48 +2855,11 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. The following fields are available: @@ -2814,7 +2882,7 @@ The following fields are available: - **HResult** The HRESULT for detection or perform action phases of the plugin. - **IsAppraiserLatestResult** The HRESULT from the appraiser task. - **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. -- **LastHresult** The HResult of the operation. +- **LastHresult** The HRESULT for detection or perform action phases of the plugin. - **LastRun** The date of the most recent SIH run. - **NextRun** Date of the next scheduled SIH run. - **PackageVersion** The version of the current remediation package. @@ -2875,7 +2943,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +This event enables completion tracking of a process that remediates issues preventing security and quality updates. The following fields are available: @@ -2964,9 +3032,123 @@ The following fields are available: - **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. +### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent + +This event indicates that an unexpected error occurred during an update and provides information to help address the issue. + +The following fields are available: + +- **CV** The Correlation vector. +- **ErrorMessage** A description of any errors encountered while the plug-in was running. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **Hresult** The result of the event execution. +- **PackageVersion** The version number of the current remediation package. +- **SessionGuid** GUID associated with a given execution of sediment pack. + + +### Microsoft.Windows.Remediation.Error + +This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue. + +The following fields are available: + +- **HResult** The result of the event execution. +- **Message** A message containing information about the error that occurred. +- **PackageVersion** The version number of the current remediation package. + + +### Microsoft.Windows.Remediation.FallbackError + +This event indicates an error when Self Update results in a Fallback and provides information to help address the issue. + +The following fields are available: + +- **s0** Indicates the Fallback error level. See [Microsoft.Windows.Remediation.wilResult](#microsoftwindowsremediationwilresult). +- **wilResult** The result of the Windows Installer Logging. See [wilResult](#wilresult). + + +### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent + +This event occurs when the Notify User task executes and provides information about the cause of the notification. + +The following fields are available: + +- **CV** The Correlation vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **RemediationNotifyUserFixIssuesCallResult** The result of calling the USO (Update Session Orchestrator) sequence steps. +- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr** The error code from the USO (Update Session Orchestrator) download call. +- **RemediationNotifyUserFixIssuesUsoInitializedHr** The error code from the USO (Update Session Orchestrator) initialize call. +- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr** The error code from the USO (Update Session Orchestrator) proxy blanket call. +- **RemediationNotifyUserFixIssuesUsoSetSessionHr** The error code from the USO (Update Session Orchestrator) session call. + + +### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId + +This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **hResult** The result of the event execution. +- **PackageVersion** The version number of the current remediation package. + + +### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId + +This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **RemediationShellUnexpectedExceptionId** The ID of the remediation plug-in that caused the exception. + + +### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed + +This event tracks the health of key update (Remediation) services and whether they are enabled. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **hResult** The result of the event execution. +- **PackageVersion** The version number of the current remediation package. +- **serviceName** The name associated with the operation. + + +### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId + +This event returns information about the upgrade upon success to help ensure Windows is up to date. + +The following fields are available: + +- **AppraiserPlugin** TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful. +- **ClearAUOptionsPlugin** TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys were successfully deleted. +- **CV** The Correlation Vector. +- **DatetimeSyncPlugin** TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully. +- **DiskCleanupPlugin** TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **NoisyHammerPlugin** TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully. +- **PackageVersion** The version number of the current remediation package. +- **RebootRequiredPlugin** TRUE / FALSE depending on whether the Reboot plug-in ran successfully. +- **RemediationNotifyUserFixIssuesPlugin** TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully +- **RemediationPostUpgradeDiskSpace** The amount of disk space available after the upgrade. +- **RemediationPostUpgradeHibernationSize** The size of the Hibernation file after the upgrade. +- **ServiceHealthPlugin** A list of services updated by the plug-in. +- **SIHHealthPlugin** TRUE / FALSE depending on whether the SIH Health plug-in ran successfully. +- **StackDataResetPlugin** TRUE / FALSE depending on whether the update stack completed successfully. +- **TaskHealthPlugin** A list of tasks updated by the plug-in. +- **UpdateApplicabilityFixerPlugin** TRUE / FALSE depending on whether the update applicability fixer plug-in completed successfully. +- **WindowsUpdateEndpointPlugin** TRUE / FALSE depending on whether the Windows Update Endpoint was successful. + + ### Microsoft.Windows.Remediation.Started -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +This event reports whether a plug-in started, to help ensure Windows is up to date. The following fields are available: @@ -2977,6 +3159,31 @@ The following fields are available: - **Result** This is the HRESULT for detection or perform action phases of the plugin. +### Microsoft.Windows.Remediation.wilResult + +This event provides Self Update information to help keep Windows up to date. + +The following fields are available: + +- **callContext** A list of diagnostic activities containing this error. +- **currentContextId** An identifier for the newest diagnostic activity containing this error. +- **currentContextMessage** A message associated with the most recent diagnostic activity containing this error (if any). +- **currentContextName** Name of the most recent diagnostic activity containing this error. +- **failureCount** Number of failures seen within the binary where the error occurred. +- **failureId** The identifier assigned to this failure. +- **failureType** Indicates the type of failure observed (exception, returned, error, logged error, or fail fast). +- **fileName** The source code file name where the error occurred. +- **function** The name of the function where the error occurred. +- **hresult** The failure error code. +- **lineNumber** The Line Number within the source code file where the error occurred. +- **message** A message associated with the failure (if any). +- **module** The name of the binary module in which the error occurred. +- **originatingContextId** The identifier for the oldest diagnostic activity containing this error. +- **originatingContextMessage** A message associated with the oldest diagnostic activity containing this error (if any). +- **originatingContextName** The name of the oldest diagnostic activity containing this error. +- **threadId** The identifier of the thread the error occurred on. + + ## Sediment events ### Microsoft.Windows.Sediment.Info.AppraiserData @@ -3326,17 +3533,15 @@ The following fields are available: - **Time** The system time at which the event occurred. -## Sediment Launcher events - ### Microsoft.Windows.SedimentLauncher.Applicable -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +Indicates whether a given plugin is applicable. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. - **IsSelfUpdateNeeded** True if self update needed by device. - **PackageVersion** Current package version of Remediation. @@ -3346,43 +3551,97 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +Indicates whether a given plugin has completed its work. The following fields are available: - **CV** Correlation vector. - **FailedReasons** Concatenated list of failure reasons. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. +### Microsoft.Windows.SedimentLauncher.Error + +This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful. + +The following fields are available: + +- **HResult** The result for the Detection or Perform Action phases of the plug-in. +- **Message** A message containing information about the error that occurred (if any). +- **PackageVersion** The version number of the current remediation package. + + +### Microsoft.Windows.SedimentLauncher.FallbackError + +This event indicates that an error occurred during execution of the plug-in fallback. + +The following fields are available: + +- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult). + + +### Microsoft.Windows.SedimentLauncher.Information + +This event provides general information returned from the plug-in. + +The following fields are available: + +- **HResult** This is the HRESULT for detection or perform action phases of the plugin. +- **Message** Information message returned from a plugin containing only information internal to the plugins execution. +- **PackageVersion** Current package version of Remediation. + + ### Microsoft.Windows.SedimentLauncher.Started -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +This event indicates that a given plug-in has started. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. -## Sediment Service events +### Microsoft.Windows.SedimentLauncher.wilResult + +This event provides the result from the Windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failureCount** Number of failures seen within the binary where the error occurred. +- **failureId** Identifier assigned to this failure. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). +- **fileName** Source code file name where the error occurred. +- **function** Name of the function where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source code file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. + ### Microsoft.Windows.SedimentService.Applicable -This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. +This event indicates whether a given plug-in is applicable. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. - **IsSelfUpdateNeeded** Indicates if self update is needed. - **PackageVersion** Current package version of Remediation. @@ -3392,13 +3651,13 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. +This event indicates whether a given plug-in has completed its work. The following fields are available: - **CV** Correlation vector. - **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -3412,9 +3671,40 @@ The following fields are available: - **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. +### Microsoft.Windows.SedimentService.Error + +This event indicates whether an error condition occurred in the plug-in. + +The following fields are available: + +- **HResult** This is the HRESULT for detection or perform action phases of the plugin. +- **Message** Custom message associated with the failure (if any). +- **PackageVersion** Current package version of Remediation. + + +### Microsoft.Windows.SedimentService.FallbackError + +This event indicates whether an error occurred for a fallback in the plug-in. + +The following fields are available: + +- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult). + + +### Microsoft.Windows.SedimentService.Information + +This event provides general information returned from the plug-in. + +The following fields are available: + +- **HResult** This is the HRESULT for detection or perform action phases of the plugin. +- **Message** Custom message associated with the failure (if any). +- **PackageVersion** Current package version of Remediation. + + ### Microsoft.Windows.SedimentService.Started -This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. The following fields are available: @@ -3425,6 +3715,31 @@ The following fields are available: - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +### Microsoft.Windows.SedimentService.wilResult + +This event provides the result from the Windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failureCount** Number of failures seen within the binary where the error occurred. +- **failureId** Identifier assigned to this failure. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). +- **fileName** Source code file name where the error occurred. +- **function** Name of the function where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source code file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. + + ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -3719,7 +4034,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -3762,6 +4077,30 @@ The following fields are available: - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BundleID** Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state + + ### SoftwareUpdateClientTelemetry.Install This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. @@ -3891,7 +4230,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -4296,9 +4635,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4460,7 +4799,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -4488,6 +4827,45 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). +### WerTraceloggingProvider.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. + +The following fields are available: + +- **AppName** The name of the app that crashed. +- **AppSessionGuid** The unique ID used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date time stamp of the app. +- **AppVersion** The version of the app that crashed. +- **ExceptionCode** The exception code returned by the process that crashed. +- **ExceptionOffset** The address where the exception occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, do not terminate the process after reporting. +- **ModName** The module name of the process that crashed. +- **ModTimeStamp** The date time stamp of the module. +- **ModVersion** The module version of the process that crashed. +- **PackageFullName** The package name if the crashing application is packaged. +- **PackageRelativeAppId** The relative application ID if the crashing application is packaged. +- **ProcessArchitecture** The architecture of the system. +- **ProcessCreateTime** The time of creation of the process that crashed. +- **ProcessId** The ID of the process that crashed. +- **ReportId** A unique ID used to identify the report. This can be used to track the report. +- **TargetAppId** The target app ID. +- **TargetAppVer** The target app version. + + +## Windows Phone events + +### Microsoft.Windows.Phone.Telemetry.OnBoot.RebootReason + +This event lists the reboot reason when an app is going to reboot. + +The following fields are available: + +- **BootId** The boot ID. +- **BoottimeSinceLastShutdown** The boot time since the last shutdown. +- **RebootReason** Reason for the reboot. + + ## Windows Store events ### Microsoft.Windows.Store.Partner.ReportApplication @@ -4496,6 +4874,17 @@ Report application event for Windows Store client. +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -4519,7 +4908,7 @@ The following fields are available: - **ProductId** The identity of the package or packages being installed. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** Licensing identity of this package. +- **WUContentId** The Windows Update content ID. ### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds @@ -5275,7 +5664,7 @@ The following fields are available: - **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. - **revisionNumber** Update revision number. -- **updateId** Unique Update ID. +- **updateId** Unique Windows Update ID. - **updateScenarioType** Update session type. - **UpdateStatus** Last status of update. - **wuDeviceid** Unique Device ID. @@ -5470,6 +5859,19 @@ The following fields are available: - **wuDeviceid** The ID of the device in which the error occurred. +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **errorCode** result showing success or failure of current update +- **revisionNumber** Unique revision number of the Update +- **updateId** Unique ID for Update +- **updateState** Progress within an update state +- **wuDeviceid** Unique ID for Device + + ### Microsoft.Windows.Update.Orchestrator.UsoSession This event represents the state of the USO service at start and completion. @@ -5598,4 +6000,41 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 8e49f96e10..bd9b834375 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/13/2018 --- @@ -70,16 +70,16 @@ The following fields are available: - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** The count of the number of this particular object type present on this device. -- **SystemMemory** The count of the number of this particular object type present on this device. +- **PCFP** An ID for the system, calculated by hashing hardware identifiers. +- **SystemMemory** The count of SystemMemory objects present on this machine. - **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. - **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The count of the number of this particular object type present on this device. -- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device. -- **SystemProcessorSse2** The count of the number of this particular object type present on this device. -- **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The count of the number of this particular object type present on this device. -- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The count of SystemProcessorNx objects present on this machine. +- **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine. +- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. +- **SystemTouch** The count of SystemTouch objects present on this machine. +- **SystemWim** The count of SystemWim objects present on this machine. +- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. @@ -359,7 +359,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -706,7 +706,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1858,6 +1858,57 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Component-based Servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **highestState** The highest final install state of the optional content. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + ## Diagnostic data events ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition @@ -1868,7 +1919,13 @@ This event sends data indicating that a device has undergone a change of telemet ### TelClientSynthetic.AuthorizationInfo_Startup -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. +Fired by UTC at startup to signal what data we are allowed to collect. + + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. @@ -1906,6 +1963,12 @@ The following fields are available: - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +### TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate + +This event is triggered when UTC determines it needs to send information about personalization settings of the user. + + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -2305,12 +2368,12 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **BusReportedDescription** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **Class** The device setup class of the driver loaded for the device. -- **ClassGuid** The device setup class guid of the driver loaded for the device. -- **COMPID** The list of compat ids for the device. -- **ContainerId** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **Description** The device description. -- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present +- **Class** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **ClassGuid** A unique identifier for the driver installed. +- **COMPID** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). +- **ContainerId** INF file name (the name could be renamed by OS, such as oemXX.inf) +- **Description** The version of the inventory binary generating the events. +- **DeviceState** The current error code for the device. - **DriverId** A unique identifier for the driver installed. - **DriverName** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. @@ -2481,22 +2544,22 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AddinCLSID** The CLSID for the Office addin -- **AddInCLSID** The CLSID for the Add-in -- **AddInId** Add-In identifier +- **AddInCLSID** CLSID key for the office addin +- **AddInId** Office addin ID - **AddinType** The type of the Office addin. - **BinFileTimestamp** Timestamp of the Office addin - **BinFileVersion** Version of the Office addin -- **Description** Add-in description +- **Description** Office addin description - **FileId** FileId of the Office addin - **FileSize** File size of the Office addin -- **FriendlyName** Add-in friendly name -- **FullPath** Full path to the add-in module -- **LoadBehavior** The load behavior -- **LoadTime** The load time for the add-in -- **OfficeApplication** The Microsoft Office application associated with the add-in +- **FriendlyName** Friendly name for office addin +- **FullPath** Unexpanded path to the office addin +- **LoadBehavior** Uint32 that describes the load behavior +- **LoadTime** Load time for the office add in +- **OfficeApplication** The office application for this add in - **OfficeArchitecture** Architecture of the addin -- **OfficeVersion** The Microsoft Office version installed -- **OutlookCrashingAddin** Whether the Outlook addin is crashing +- **OfficeVersion** The office version for this add in +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add in - **ProductCompany** The name of the company associated with the Office addin - **ProductName** The product name associated with the Office addin - **ProductVersion** The version associated with the Office addin @@ -2928,83 +2991,11 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - -### CbsServicingProvider.CbsCapabilityEnumeration - -This event reports on the results of scanning for optional Windows content on Windows Update. - -The following fields are available: - -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionFinalize - -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. - -The following fields are available: - -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **highestState** The highest final install state of the optional content. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. - - -### CbsServicingProvider.CbsCapabilitySessionPended - -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. - -The following fields are available: - -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. - - -### Microsoft.Windows.WaaSAssessment.Error - -This event returns the name of the missing setting needed to determine the Operating System build age. - -The following fields are available: - -- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. - - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - - - ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. The following fields are available: @@ -3022,7 +3013,7 @@ The following fields are available: - **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. - **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. -- **GlobalEventCounter** Client side counter that indicates ordering of events. +- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. - **HResult** The HRESULT for detection or perform action phases of the plugin. - **IsAppraiserLatestResult** The HRESULT from the appraiser task. - **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. @@ -3085,9 +3076,29 @@ The following fields are available: - **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. +### Microsoft.Windows.Remediation.ChangePowerProfileDetection + +Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates. + +The following fields are available: + +- **ActionName** A descriptive name for the plugin action +- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device +- **CV** Correlation vector +- **GlobalEventCounter** Counter that indicates the ordering of events on the device +- **PackageVersion** Current package version of remediation service +- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0) +- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update +- **RemediationFURebootRequred** Indicates that a feature update reboot required was detected so the plugin will exit. +- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates +- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues +- **SetupMutexAvailable** Result that shows whether setup mutex is available or not +- **SysPowerStatusAC** Result that shows whether system is on AC power or not + + ### Microsoft.Windows.Remediation.Completed -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +This event enables completion tracking of a process that remediates issues preventing security and quality updates. The following fields are available: @@ -3109,7 +3120,7 @@ The following fields are available: - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. -- **GlobalEventCounter** Client-side counter that indicates ordering of events. +- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. - **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. - **hasRolledBack** Indicates whether the client machine has rolled back. - **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. @@ -3202,14 +3213,30 @@ The following fields are available: - **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. +### Microsoft.Windows.Remediation.RemediationShellMainExeEventId + +Enables tracking of completion of process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **CV** Client side counter which indicates ordering of events sent by the remediation system. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. +- **PackageVersion** Current package version of Remediation. +- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running. +- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors. +- **RemediationShellFoundDriverDll** Result whether the remediation system found its component files to run properly. +- **RemediationShellLoadedShellDriver** Result whether the remediation system loaded its component files to run properly. +- **RemediationShellLoadedShellFunction** Result whether the remediation system loaded the functions from its component files to run properly. + + ### Microsoft.Windows.Remediation.Started -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +This event reports whether a plug-in started, to help ensure Windows is up to date. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -3279,17 +3306,15 @@ The following fields are available: - **Time** System timestamp the event was fired -## Sediment Launcher events - ### Microsoft.Windows.SedimentLauncher.Applicable -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +Indicates whether a given plugin is applicable. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. - **IsSelfUpdateNeeded** True if self update needed by device. - **PackageVersion** Current package version of Remediation. @@ -3299,43 +3324,98 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. +Indicates whether a given plugin has completed its work. The following fields are available: - **CV** Correlation vector. - **FailedReasons** Concatenated list of failure reasons. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. +### Microsoft.Windows.SedimentLauncher.Error + +Error occurred during execution of the plugin. + +The following fields are available: + +- **HResult** The result for the Detection or Perform Action phases of the plug-in. +- **Message** A message containing information about the error that occurred (if any). +- **PackageVersion** The version number of the current remediation package. + + +### Microsoft.Windows.SedimentLauncher.FallbackError + +This event indicates that an error occurred during execution of the plug-in fallback. + +The following fields are available: + +- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult). +- **wilResult** Result from executing wil based function. See [wilResult](#wilresult). + + +### Microsoft.Windows.SedimentLauncher.Information + +This event provides general information returned from the plug-in. + +The following fields are available: + +- **HResult** This is the HRESULT for detection or perform action phases of the plugin. +- **Message** Information message returned from a plugin containing only information internal to the plugins execution. +- **PackageVersion** Current package version of Remediation. + + ### Microsoft.Windows.SedimentLauncher.Started -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. +This event indicates that a given plug-in has started. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. -## Sediment Service events +### Microsoft.Windows.SedimentLauncher.wilResult + +This event provides the result from the Windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failureCount** Number of failures seen within the binary where the error occurred. +- **failureId** Identifier assigned to this failure. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). +- **fileName** Source code file name where the error occurred. +- **function** Name of the function where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source code file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. + ### Microsoft.Windows.SedimentService.Applicable -This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. +This event indicates whether a given plug-in is applicable. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. - **IsSelfUpdateNeeded** Indicates if self update is needed. - **PackageVersion** Current package version of Remediation. @@ -3345,13 +3425,13 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. +This event indicates whether a given plug-in has completed its work. The following fields are available: - **CV** Correlation vector. - **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -3365,9 +3445,41 @@ The following fields are available: - **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. +### Microsoft.Windows.SedimentService.Error + +This event indicates whether an error condition occurred in the plug-in. + +The following fields are available: + +- **HResult** This is the HRESULT for detection or perform action phases of the plugin. +- **Message** Custom message associated with the failure (if any). +- **PackageVersion** Current package version of Remediation. + + +### Microsoft.Windows.SedimentService.FallbackError + +This event indicates whether an error occurred for a fallback in the plug-in. + +The following fields are available: + +- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult). +- **wilResult** Result for wil based function. See [wilResult](#wilresult). + + +### Microsoft.Windows.SedimentService.Information + +This event provides general information returned from the plug-in. + +The following fields are available: + +- **HResult** This is the HRESULT for detection or perform action phases of the plugin. +- **Message** Custom message associated with the failure (if any). +- **PackageVersion** Current package version of Remediation. + + ### Microsoft.Windows.SedimentService.Started -This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. The following fields are available: @@ -3378,6 +3490,31 @@ The following fields are available: - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +### Microsoft.Windows.SedimentService.wilResult + +This event provides the result from the Windows internal library. + +The following fields are available: + +- **callContext** List of telemetry activities containing this error. +- **currentContextId** Identifier for the newest telemetry activity containing this error. +- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). +- **currentContextName** Name of the newest telemetry activity containing this error. +- **failureCount** Number of failures seen within the binary where the error occurred. +- **failureId** Identifier assigned to this failure. +- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). +- **fileName** Source code file name where the error occurred. +- **function** Name of the function where the error occurred. +- **hresult** Failure error code. +- **lineNumber** Line number within the source code file where the error occurred. +- **message** Custom message associated with the failure (if any). +- **module** Name of the binary where the error occurred. +- **originatingContextId** Identifier for the oldest telemetry activity containing this error. +- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). +- **originatingContextName** Name of the oldest telemetry activity containing this error. +- **threadId** Identifier of the thread the error occurred on. + + ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -3666,7 +3803,7 @@ Download process event for target update on Windows Update client (see eventscen The following fields are available: -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. - **BiosFamily** The family of the BIOS (Basic Input Output System). @@ -3675,11 +3812,11 @@ The following fields are available: - **BiosSKUNumber** The sku number of the device BIOS. - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. - **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle). +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. @@ -3698,7 +3835,7 @@ The following fields are available: - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific id of the flight (pre-release build) the device is getting. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. @@ -3714,10 +3851,10 @@ The following fields are available: - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -3804,14 +3941,14 @@ The following fields are available: - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install? - **BundleRevisionNumber** Identifies the revision number of the content bundle. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **ClientVersion** The version number of the software distribution client. - **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeviceModel** The device model. +- **CurrentMobileOperator** Mobile operator that device is currently connected to. +- **DeviceModel** What is the device model. - **DriverPingBack** Contains information about the previous driver and system state. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. @@ -3827,21 +3964,21 @@ The following fields are available: - **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. - **HomeMobileOperator** The mobile operator that the device was originally intended to work with. - **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update? +- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process? +- **IsFirmware** Is this update a firmware update? +- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart? - **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device? - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MergedUpdate** Was the OS update and a BSP update merged for installation? - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. - **PackageFullName** The package name of the content being installed. - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Are quality OS updates paused on the device? - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. - **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. @@ -3851,8 +3988,8 @@ The following fields are available: - **SystemBIOSMinorRelease** Minor version of the BIOS. - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. +- **TransactionCode** The ID which represents a given MSI installation +- **UpdateId** Unique update ID - **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. - **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. @@ -4382,7 +4519,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4393,7 +4530,7 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data - **key21** UI interaction data - **key22** UI interaction data @@ -4404,12 +4541,12 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI -- **key5** UI interaction type -- **key6** Current package version of UNP -- **key7** UI interaction type +- **key4** UI interaction data +- **key5** UI interaction data +- **key6** UI interaction data +- **key7** UI interaction data - **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. @@ -4562,9 +4699,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** Windows Update client ID. @@ -4726,7 +4863,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -4736,6 +4873,15 @@ The following fields are available: ## Windows as a Service diagnostic events +### Microsoft.Windows.WaaSAssessment.Error + +This event returns the name of the missing setting needed to determine the Operating System build age. + +The following fields are available: + +- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. + + ### Microsoft.Windows.WaaSMedic.Summary This event provides the results of the WaaSMedic diagnostic run @@ -4803,6 +4949,17 @@ Report application event for Windows Store client. +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -5047,7 +5204,7 @@ The following fields are available: ### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare -This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure. +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. The following fields are available: @@ -5061,9 +5218,9 @@ FulfillmentComplete event is fired at the end of an app install or update. We us The following fields are available: - **FailedRetry** Tells us if the retry for an install or update was successful or not. -- **HResult** The HResult code of the operation. -- **PFN** The Package Family Name of the app that is being installed or updated. -- **ProductId** The product ID of the app that is being updated or installed. +- **HResult** Resulting HResult error/success code of this call +- **PFN** Package Family Name of the app that being installed or updated +- **ProductId** Product Id of the app that is being updated or installed ### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate @@ -5178,6 +5335,144 @@ The following fields are available: ## Windows Update Delivery Optimization events +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **callerName** Name of the API caller. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **clientTelId** A random number used for device sampling. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **reasonCode** Reason the action or event occurred. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **callerName** Name of the API caller. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **clientTelId** A random number used for device sampling. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **restrictedUpload** Is the upload restricted? +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **callerName** The name of the API caller. +- **clientTelId** A random number used for device sampling. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **reasonCode** The reason for pausing the download. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **callerName** Name of the API caller. +- **cdnUrl** The URL of the source CDN. +- **clientTelId** A random number used for device sampling. +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. +- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. +- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. +- **peerID** The ID for this delivery optimization client. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID for the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -5201,6 +5496,20 @@ The following fields are available: - **sessionID** The ID of the download session. +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **clientTelId** A random number used for device sampling. +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit @@ -5270,14 +5579,14 @@ This event collects information regarding the install phase of the new device ma The following fields are available: -- **errorCode** The error code returned for the current install phase. -- **flightId** Unique ID for each flight. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **result** Outcome of the install phase of the update. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **updateId** Unique ID for each Update. +- **errorCode** The error code returned for the current install phase +- **flightId** The unique identifier for each flight +- **objectId** Unique value for each Update Agent mode +- **relatedCV** Correlation vector value generated from the latest scan +- **result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** Unique value for each Update Agent mode attempt +- **updateId** Unique ID for each update ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart @@ -5286,13 +5595,13 @@ This event sends data for the start of each mode during the process of updating The following fields are available: -- **flightId** Unique ID for each flight. -- **mode** The mode that is starting. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **updateId** Unique ID for each Update. +- **flightId** The unique identifier for each flight +- **mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit +- **objectId** Unique value for each Update Agent mode +- **relatedCV** Correlation vector value generated from the latest scan +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** Unique value for each Update Agent mode attempt +- **updateId** Unique ID for each update ### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed @@ -5372,15 +5681,15 @@ This event indicates that a scan for a Windows Update occurred. The following fields are available: - **deferReason** Reason why the device could not check for updates. -- **detectionBlockreason** Reason for blocking detection +- **detectionBlockreason** Reason for detection not completing. - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** Error value -- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **errorCode** The returned error code. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. - **revisionNumber** Update revision number. - **updateId** Update ID. -- **updateScenarioType** The update session type. +- **updateScenarioType** Device ID - **wuDeviceid** Unique device ID used by Windows Update. @@ -5511,6 +5820,23 @@ The following fields are available: - **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). +### Microsoft.Windows.Update.Orchestrator.PostInstall + +This event is sent after a Windows update install completes. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **bundleId** Identifier associated with the specific content bundle. +- **bundleRevisionnumber** Identifies the revision number of the content bundle. +- **errorCode** The error code returned for the current phase. +- **eventScenario** State of update action. +- **flightID** Update session type +- **sessionType** The Windows Update session type (Interactive or Background). +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart This event is generated before the shutdown and commit operations. @@ -5590,6 +5916,21 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed This event sends information about an update that encountered problems and was not able to complete. @@ -5710,7 +6051,7 @@ The following fields are available: - **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. - **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. - **rebootState** Current state of the reboot. -- **revisionNumber** Revision number of the update that is getting installed with this reboot. +- **revisionNumber** Revision number of the OS. - **scheduledRebootTime** Time scheduled for the reboot. - **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. - **updateId** Identifies which update is being scheduled. @@ -5786,4 +6127,18 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 8fed168ec8..af938824ba 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/13/2018 --- @@ -48,34 +48,51 @@ The following fields are available: - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. @@ -96,6 +113,7 @@ The following fields are available: - **SystemWlan** The count of SystemWlan objects present on this machine. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -353,6 +371,7 @@ The following fields are available: - **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. - **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. - **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. - **HardBlock** This file is blocked in the SDB. - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? @@ -372,7 +391,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -408,6 +427,7 @@ The following fields are available: - **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? - **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? @@ -449,6 +469,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? @@ -527,6 +548,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? @@ -638,6 +660,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. - **HasBiosBlock** Does the device have a BIOS block? @@ -686,6 +709,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. - **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. - **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. - **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. @@ -693,6 +718,8 @@ The following fields are available: - **CompanyName** The company name of the vendor who developed this file. - **FileId** A hash that uniquely identifies a file. - **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. - **LinkDate** The date and time that this file was linked on. - **LowerCaseLongPath** The full file path to the file that was inventoried on the device. - **Name** The name of the file that was inventoried. @@ -715,7 +742,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1272,6 +1299,8 @@ The following fields are available: - **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. - **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. - **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. - **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. @@ -1692,6 +1721,7 @@ The following fields are available: - **OSRolledBack** A flag that represents when a feature update has rolled back during setup. - **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . - **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. - **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. @@ -1910,6 +1940,83 @@ The following fields are available: - **ImageName** Name of file. +## Component-based Servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End @@ -1980,7 +2087,7 @@ The following fields are available: ## Diagnostic data events -### TelClientSynthetic.AuthorizationInfo_Startup +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -1999,6 +2106,40 @@ The following fields are available: - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartbeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **LastFreeNetworkLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** The network state of the device. +- **NoNetworkTimeSec** The total number of seconds without network during this heartbeat period. +- **RestrictedNetworkTimeSec** The total number of seconds with restricted network during this heartbeat period. + + ### TelClientSynthetic.HeartBeat_5 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. @@ -3257,6 +3398,9 @@ Indicates that this particular data object represented by the objectInstanceId i This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync @@ -3344,6 +3488,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **InventoryVersion** The version of the inventory binary generating the events. - **OfficeApplication** The name of the Office application. - **OfficeArchitecture** The bitness of the Office application. - **OfficeVersion** The version of the Office application. @@ -3356,6 +3501,9 @@ Indicates that this particular data object represented by the objectInstanceId i This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync @@ -3364,6 +3512,9 @@ This diagnostic event indicates that a new sync is being generated for this obje This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd @@ -3430,6 +3581,7 @@ The following fields are available: - **DuplicateVBA** Count of files with duplicate VBA code - **HasVBA** Count of files with VBA code - **Inaccessible** Count of files that were inaccessible for scanning +- **InventoryVersion** The version of the inventory binary generating the events. - **Issues** Count of files with issues detected - **Issues_x64** Count of files with 64-bit issues detected - **IssuesNone** Count of files with no issues detected @@ -3481,6 +3633,9 @@ This event indicates that a new sync is being generated for this object type. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync @@ -3735,82 +3890,67 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events +## Privacy consent logging events -### CbsServicingProvider.CbsCapabilityEnumeration +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted -This event reports on the results of scanning for optional Windows content on Windows Update. +This event is used to determine whether the user successfully completed the privacy consent experience. The following fields are available: -- **architecture** Indicates the scan was limited to the specified architecture. -- **capabilityCount** The number of optional content packages found during the scan. -- **clientId** The name of the application requesting the optional content. -- **duration** The amount of time it took to complete the scan. -- **hrStatus** The HReturn code of the scan. -- **language** Indicates the scan was limited to the specified language. -- **majorVersion** Indicates the scan was limited to the specified major version. -- **minorVersion** Indicates the scan was limited to the specified minor version. -- **namespace** Indicates the scan was limited to packages in the specified namespace. -- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience -### CbsServicingProvider.CbsCapabilitySessionFinalize +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentPrep -This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. +This event is used to determine whether the user needs to see the privacy consent experience or not. The following fields are available: -- **capabilities** The names of the optional content packages that were installed. -- **clientId** The name of the application requesting the optional content. -- **currentID** The ID of the current install session. -- **highestState** The highest final install state of the optional content. -- **hrStatus** The HReturn code of the install operation. -- **rebootCount** The number of reboots required to complete the install. -- **retryID** The session ID that will be used to retry a failed operation. -- **retryStatus** Indicates whether the install will be retried in the event of failure. -- **stackBuild** The build number of the servicing stack. -- **stackMajorVersion** The major version number of the servicing stack. -- **stackMinorVersion** The minor version number of the servicing stack. -- **stackRevision** The revision number of the servicing stack. +- **s0** Indicates the error level encountered during Privacy Consent Preparation. See [Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity](#microsoftwindowsshellprivacyconsentloggingwilactivity). +- **wilActivity** Information of the thread where the error occurred (thread ID). See [wilActivity](#wilactivity). -### CbsServicingProvider.CbsCapabilitySessionPended +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus -This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. +Event tells us effectiveness of new privacy experience. The following fields are available: -- **clientId** The name of the application requesting the optional content. -- **pendingDecision** Indicates the cause of reboot, if applicable. +- **isAdmin** Whether the current user is an administrator or not +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** Whether the current user has enabled silent elevation +- **privacyConsentState** The current state of the privacy consent experience +- **userRegionCode** The current user's region setting -### CbsServicingProvider.CbsPackageRemoval +### Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity -This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. +This event returns information if an error is encountered while computing whether the user needs to complete privacy consents in certain upgrade scenarios. The following fields are available: -- **buildVersion** The build number of the security update being uninstalled. -- **clientId** The name of the application requesting the uninstall. -- **currentStateEnd** The final state of the update after the operation. -- **failureDetails** Information about the cause of a failure, if applicable. -- **failureSourceEnd** The stage during the uninstall where the failure occurred. -- **hrStatusEnd** The overall exit code of the operation. -- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. -- **majorVersion** The major version number of the security update being uninstalled. -- **minorVersion** The minor version number of the security update being uninstalled. -- **originalState** The starting state of the update before the operation. -- **pendingDecision** Indicates the cause of reboot, if applicable. -- **primitiveExecutionContext** The state during system startup when the uninstall was completed. -- **revisionVersion** The revision number of the security update being uninstalled. -- **transactionCanceled** Indicates whether the uninstall was cancelled. +- **callContext** A list of Windows Diagnostic activities/events containing this error. +- **currentContextId** The ID for the newest activity/event containing this error. +- **currentContextMessage** Any custom message for the activity context. +- **currentContextName** The name of the newest activity/event context containing this error. +- **failureType** The type of failure observed: exception, returned error, etc. +- **fileName** The name of the fine in which the error was encountered. +- **hresult** The Result Code of the error. +- **lineNumber** The line number where the error was encountered. +- **message** Any message associated with the error. +- **module** The name of the binary module where the error was encountered. +- **originatingContextId** The ID of the oldest telemetry activity containing this error. +- **originatingContextMessage** Any custom message associated with the oldest Windows Diagnostic activity/event containing this error. +- **originatingContextName** The name associated with the oldest Windows Diagnostic activity/event containing this error. +- **threadId** The ID of the thread the activity was run on. +## Remediation events + ### Microsoft.Windows.Remediation.Applicable This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. @@ -3978,6 +4118,7 @@ The following fields are available: - **RemediationHibernationMigrated** TRUE if hibernation was migrated. - **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. - **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. +- **RemediationNoisyHammerTaskFixSuccessId** Indicates whether the Update Assistant task fix was successful. - **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. - **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. - **RemediationRanHibernation** TRUE if the system entered Hibernation. @@ -3999,6 +4140,9 @@ The following fields are available: - **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHardeningExitCode** The exit code returned by Windows Service Repair. +- **ServiceHealthEnabledBitMap** List of services updated by the plugin. +- **ServiceHealthInstalledBitMap** List of services installed by the plugin. - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. @@ -4059,369 +4203,7 @@ The following fields are available: - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentLauncher.Applicable - -Indicates whether a given plugin is applicable. - -The following fields are available: - -- **CV** Correlation vector. -- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. -- **IsSelfUpdateNeeded** True if self update needed by device. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentLauncher.Completed - -Indicates whether a given plugin has completed its work. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. -- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. - - -### Microsoft.Windows.SedimentLauncher.Started - -This event indicates that a given plug-in has started. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentService.Applicable - -This event indicates whether a given plug-in is applicable. - -The following fields are available: - -- **CV** Correlation vector. -- **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentService.Completed - -This event indicates whether a given plug-in has completed its work. - -The following fields are available: - -- **CV** Correlation vector. -- **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. -- **PackageVersion** Current package version of Remediation. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. -- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. -- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. -- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). -- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. -- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). -- **SedimentServiceStopping** True/False indicating whether the service is stopping. -- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. -- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. - - -### Microsoft.Windows.SedimentService.Started - -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. - - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -Event tells us effectiveness of new privacy experience. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -## Remediation events - -### Microsoft.Windows.Remediation.Applicable - -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. - -The following fields are available: - -- **ActionName** The name of the action to be taken by the plug-in. -- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. -- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. -- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. -- **AppraiserTaskDisabled** Indicates the appraiser task is disabled. -- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. -- **CV** Correlation vector -- **DateTimeDifference** The difference between local and reference clock times. -- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. -- **DaysSinceLastSIH** The number of days since the most recent SIH executed. -- **DaysToNextSIH** The number of days until the next scheduled SIH execution. -- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. -- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. -- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. -- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. -- **GlobalEventCounter** Client side counter that indicates ordering of events. -- **HResult** The HRESULT for detection or perform action phases of the plugin. -- **IsAppraiserLatestResult** The HRESULT from the appraiser task. -- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. -- **LastHresult** The HRESULT for detection or perform action phases of the plugin. -- **LastRun** The date of the most recent SIH run. -- **NextRun** Date of the next scheduled SIH run. -- **PackageVersion** The version of the current remediation package. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Reload** True if SIH reload is required. -- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. -- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. -- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. -- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. -- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. -- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. -- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. -- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. -- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. -- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. -- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. -- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. -- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. -- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. -- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. -- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. -- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. -- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. -- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). -- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. -- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. -- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. -- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. -- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task. -- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task. -- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task. -- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. -- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. -- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. -- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled. -- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled. -- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled. -- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled. -- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled. -- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled. -- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled. -- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled. -- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled. -- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled. -- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled. -- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled. -- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled. -- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled. -- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. -- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly. -- **RunTask** TRUE if SIH task should be run by the plug-in. -- **TimeServiceNTPServer** The URL for the NTP time server used by device. -- **TimeServiceStartType** The startup type for the NTP time service. -- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. -- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. - - -### Microsoft.Windows.Remediation.Completed - -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. - -The following fields are available: - -- **ActionName** Name of the action to be completed by the plug-in. -- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully. -- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully. -- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully. -- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully. -- **AppraiserTaskMissing** TRUE if the Appraiser task is missing. -- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully. -- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully. -- **branchReadinessLevel** Branch readiness level policy. -- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. -- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded. -- **CV** The Correlation Vector. -- **DateTimeDifference** The difference between the local and reference clocks. -- **DaysSinceOsInstallation** The number of days since the installation of the Operating System. -- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. -- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. -- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. -- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. -- **GlobalEventCounter** Client-side counter that indicates ordering of events. -- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. -- **hasRolledBack** Indicates whether the client machine has rolled back. -- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. -- **hResult** The result of the event execution. -- **HResult** The result of the event execution. -- **installDate** The value of installDate registry key. Indicates the install date. -- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS. -- **LatestState** The final state of the plug-in component. -- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. -- **PackageVersion** The package version for the current Remediation. -- **PageFileCount** The number of Windows Page files. -- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes. -- **PageFileLocation** The storage location (directory path) of the Windows Page file. -- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes. -- **PluginName** The name of the plug-in specified for each generic plug-in event. -- **RanCleanup** TRUE if the plug-in ran disk cleanup. -- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. -- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. -- **RemediationBatteryPowerOnBattery** True if we allow execution on battery. -- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully. -- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. -- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. -- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes. -- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes. -- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes. -- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes. -- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes. -- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified. -- **RemediationDoorstopExists** TRUE if there is a One Settings Doorstop value. -- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key. -- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted. -- **RemediationDUABuildNumber** The build number of the DUA. -- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted. -- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated. -- **remediationExecution** Remediation shell is in "applying remediation" state. -- **RemediationHibernationMigrated** TRUE if hibernation was migrated. -- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. -- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. -- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. -- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. -- **RemediationRanHibernation** TRUE if the system entered Hibernation. -- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. -- **RemediationShellHasUpgraded** TRUE if the device upgraded. -- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. -- **RemediationShellRunFromService** TRUE if the shell driver was run from the service. -- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. -- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. -- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. -- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. -- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. -- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. -- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes. -- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. -- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes. -- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more. -- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes. -- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. -- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. -- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. -- **ServiceHealthPlugin** The nae of the Service Health plug-in. -- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. -- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. -- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. -- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. -- **uninstallActive** TRUE if previous uninstall has occurred for current OS -- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. -- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. -- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. -- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set. -- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set. -- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. -- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. -- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. -- **usoScanIsUserLoggedOn** TRUE if the user is logged on. -- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). -- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). -- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. -- **windowsEditionId** Event to report the value of Windows Edition ID. -- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. -- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. -- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. -- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes. -- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes. -- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes. -- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes. -- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes. -- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. -- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. - - -### Microsoft.Windows.Remediation.Started - -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. -- **PackageVersion** Current package version of Remediation application. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **RunCount** The number of times the remediation event started (whether it completed successfully or not). ## Sediment events @@ -4488,88 +4270,100 @@ The following fields are available: - **Time** System timestamp when the event was started. -## Sediment Service events - -### Microsoft.Windows.SedimentService.Applicable - -This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. -- **PackageVersion** Current package version of Remediation application. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentService.Completed - -This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. -- **PackageVersion** Current package version of Remediation application. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -### Microsoft.Windows.SedimentService.Started - -This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. -- **PackageVersion** Current package version of Remediation application. -- **PluginName** Name of the plugin specified for each generic plugin event. -- **Result** This is the HRESULT for detection or perform action phases of the plugin. - - -## Sediment Launcher events - ### Microsoft.Windows.SedimentLauncher.Applicable -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. +Indicates whether a given plugin is applicable. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. -- **PackageVersion** Current package version of Remediation application. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. +- **IsSelfUpdateNeeded** True if self update needed by device. +- **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. ### Microsoft.Windows.SedimentLauncher.Completed -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. +Indicates whether a given plugin has completed its work. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. -- **PackageVersion** Current package version of Remediation application. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. ### Microsoft.Windows.SedimentLauncher.Started -This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. +This event indicates that a given plug-in has started. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. -- **PackageVersion** Current package version of Remediation application. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. +### Microsoft.Windows.SedimentService.Applicable + +This event indicates whether a given plug-in is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Determine whether action needs to run based on device properties. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. +- **IsSelfUpdateNeeded** Indicates if self update is needed. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event indicates whether a given plug-in has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** List of reasons when the plugin action failed. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. +- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. +- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). +- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. +- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). +- **SedimentServiceStopping** True/False indicating whether the service is stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. + + +### Microsoft.Windows.SedimentService.Started + +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. + + ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -5058,28 +4852,28 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** The secondary status code of the event. +- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id) +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). - **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable. - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** Identifies the revision of this specific piece of content -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. -- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob -- **SignatureAlgorithm** Hash algorithm for the metadata signature -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult) -- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token. -- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. -- **UpdateId** Identifier associated with the specific piece of content -- **ValidityWindowInDays** Validity window in effect when verifying the timestamp +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** The status code of the event. +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. ## Update events @@ -5130,6 +4924,7 @@ The following fields are available: - **FlightId** Unique ID for each flight. - **InternalFailureResult** Indicates a non-fatal error from a plugin. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. @@ -5355,7 +5150,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each update. +- **UpdateId** Unique ID for each Update. - **UserSession** Indicates whether install was invoked by user actions. @@ -5374,7 +5169,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -5385,7 +5180,7 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data - **key21** UI interaction data - **key22** UI interaction data @@ -5396,12 +5191,12 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI -- **key5** UI interaction type -- **key6** Current package version of UNP -- **key7** UI interaction type +- **key4** UI interaction data +- **key5** UI interaction data +- **key6** UI interaction data +- **key7** UI interaction data - **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. @@ -5581,7 +5376,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -5723,6 +5518,7 @@ The following fields are available: - **ReportId** ID for tying together events stream side. - **ResultCode** Result returned by setup for the entire operation. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. - **TargetBranch** Branch of the target OS. - **TargetBuild** Build of the target OS. @@ -5802,7 +5598,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -5881,6 +5677,17 @@ The following fields are available: ## Windows Store events +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -5904,7 +5711,7 @@ The following fields are available: - **ProductId** The identity of the package or packages being installed. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** Licensing identity of this package. +- **WUContentId** The Windows Update content ID. ### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds @@ -6055,7 +5862,7 @@ The following fields are available: - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The total number of system attempts. - **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. +- **WUContentId** Licensing identity of this package. ### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates @@ -6125,7 +5932,7 @@ The following fields are available: ### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare -This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure. +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. The following fields are available: @@ -6266,7 +6073,7 @@ The following fields are available: - **current** Result of currency check. - **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure Error code. +- **hResult** Failure error code. - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. @@ -6442,6 +6249,46 @@ The following fields are available: - **sessionID** The ID of the download session. - **updateID** The ID of the update being paused. + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **callerName** Name of the API caller. +- **cdnUrl** The URL of the source CDN +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. +- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. +- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -6451,7 +6298,6 @@ The following fields are available: - **cdnHeaders** The HTTP headers returned by the CDN. - **cdnIp** The IP address of the CDN. - **cdnUrl** The URL of the CDN. -- **clientTelId** A random number used for device sampling. - **errorCode** The error code that was returned. - **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. - **experimentId** When running a test, this is used to correlate with other events that are part of the same test. @@ -6464,6 +6310,21 @@ The following fields are available: - **responseSize** The size of the range response received from the CDN. - **sessionID** The ID of the download session. + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -6473,21 +6334,21 @@ This event collects information regarding the state of devices and drivers on th The following fields are available: - **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** How many driver packages could not be analyzed because errors were hit during the analysis. +- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis. - **flightId** Unique ID for each flight. -- **missingDriverCount** How many driver packages that were delivered by the device manifest are missing from the system. -- **missingUpdateCount** How many updates that were part of the device manifest are missing from the system. +- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system. +- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system. - **objectId** Unique value for each diagnostics session. -- **publishedCount** How many drivers packages that were delivered by the device manifest are published and available to be used on devices. +- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices. - **relatedCV** Correlation vector value generated from the latest USO scan. - **scenarioId** Indicates the update scenario. - **sessionId** Unique value for each update session. -- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on. - **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** How many devices are missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** How many driver packages are missing from the summary string because there is not enough room in the string. +- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string. +- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string. - **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** Unique ID for each update. +- **updateId** Unique ID for each Update. ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit @@ -6829,9 +6690,9 @@ The following fields are available: - **deferReason** Reason why the device could not check for updates. - **detectionBlockingPolicy** State of update action. -- **detectionBlockreason** If we retry to scan +- **detectionBlockreason** State of update action - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** State of update action +- **errorCode** Error info - **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. @@ -6839,7 +6700,7 @@ The following fields are available: - **revisionNumber** Update revision number. - **scanTriggerSource** Source of the triggered scan. - **updateId** Update ID. -- **updateScenarioType** Update Session type +- **updateScenarioType** Device ID - **wuDeviceid** Device ID @@ -7327,7 +7188,7 @@ The following fields are available: - **scheduledRebootTime** Time scheduled for the reboot. - **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. - **updateId** Identifies which update is being scheduled. -- **wuDeviceid** Unique device ID used by Windows Update. +- **wuDeviceid** Unique DeviceID ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot @@ -7342,8 +7203,8 @@ This event is sent when MUSE broker schedules a task. The following fields are available: -- **TaskArgument** The arguments which the task is scheduled with -- **TaskName** Name of the task +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled @@ -7444,4 +7305,34 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f86fc65600..0d1c11c6b4 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 11/07/2018 +ms.date: 12/13/2018 --- @@ -38,6 +38,34 @@ You can learn more about Windows functional and diagnostic data through these ar +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + ## AppLocker events ### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically @@ -273,115 +301,202 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. - **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. - **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. - **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. - **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. - **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. - **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. - **PCFP** The count of the number of this particular object type present on this device. - **SystemMemory** The count of the number of this particular object type present on this device. @@ -394,11 +509,16 @@ The following fields are available: - **SystemWim** The count of the number of this particular object type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. - **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. - **Wmdrm_TH1** The count of the number of this particular object type present on this device. - **Wmdrm_TH2** The count of the number of this particular object type present on this device. @@ -454,6 +574,7 @@ The following fields are available: - **ActiveNetworkConnection** Indicates whether the device is an active network device. - **AppraiserVersion** The version of the appraiser file generating the events. - **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. - **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. - **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. - **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. @@ -647,6 +768,7 @@ The following fields are available: - **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. - **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. - **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. - **HardBlock** This file is blocked in the SDB. - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? @@ -666,7 +788,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -702,6 +824,7 @@ The following fields are available: - **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? - **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? @@ -743,6 +866,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? @@ -821,6 +945,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? @@ -932,6 +1057,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. - **HasBiosBlock** Does the device have a BIOS block? @@ -1013,7 +1139,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1196,6 +1322,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. - **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. - **Time** The client time of the event. @@ -1585,6 +1712,7 @@ The following fields are available: - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. - **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. - **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. - **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. - **StoreHandleIsNotNull** Obsolete, always set to false - **TelementrySent** Indicates if telemetry was successfully sent. @@ -1741,6 +1869,7 @@ The following fields are available: - **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. - **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. - **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. - **DeviceForm** Indicates the form as per the device classification. - **DeviceName** The device name that is set by the user. - **DigitizerSupport** Is a digitizer supported? @@ -1806,6 +1935,48 @@ The following fields are available: - **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + ### Census.PrivacySettings This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. @@ -1935,8 +2106,11 @@ This event sends data about the current user's default preferences for browser a The following fields are available: +- **CalendarType** The calendar identifiers that are used to specify different calendars. - **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. ### Census.UserDisplay @@ -2266,6 +2440,20 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -2299,6 +2487,7 @@ The following fields are available: - **capabilities** The names of the optional content packages that were installed. - **clientId** The name of the application requesting the optional content. - **currentID** The ID of the current install session. +- **downloadSource** The source of the download. - **highestState** The highest final install state of the optional content. - **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. - **hrStatus** The HReturn code of the install operation. @@ -2479,6 +2668,59 @@ The following fields are available: - **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. + + ### TelClientSynthetic.HeartBeat_5 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. @@ -2506,6 +2748,8 @@ The following fields are available: - **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. - **EventStoreResetCounter** Number of times event DB was reset. - **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. - **EventsUploaded** Number of events uploaded. - **Flags** Flags indicating device state such as network state, battery state, and opt-in state. - **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. @@ -3149,6 +3393,38 @@ The following fields are available: - **WDDMVersion** The Windows Display Driver Model version. +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsCrashFatal** (Deprecated) True/False to indicate whether the crash resulted in process termination. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Hang Reporting events ### Microsoft.Windows.HangReporting.AppHangEvent @@ -3185,9 +3461,13 @@ This event captures basic checksum data about the device inventory items stored The following fields are available: +- **Device** A count of device objects in cache. - **DeviceCensus** A count of device census objects in cache. - **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. - **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. - **InventoryApplicationDriver** A count of application driver objects in cache @@ -3211,6 +3491,9 @@ The following fields are available: - **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache - **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache - **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. ### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo @@ -3691,27 +3974,30 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AddinCLSID** The CLSID for the Office addin -- **AddInId** Office addin ID -- **AddinType** The type of the Office addin. -- **BinFileTimestamp** Timestamp of the Office addin -- **BinFileVersion** Version of the Office addin -- **Description** Office addin description -- **FileId** FileId of the Office addin -- **FileSize** File size of the Office addin -- **FriendlyName** Friendly name for office addin -- **FullPath** Unexpanded path to the office addin +- **AddinCLSID** The CLSID for the Office add-in. +- **AddInCLSID** CLSID key for the office addin +- **AddInId** Office add-in ID. +- **AddinType** Office add-in Type. +- **BinFileTimestamp** Timestamp of the Office add-in. +- **BinFileVersion** Version of the Office add-in. +- **Description** Office add-in description. +- **FileId** FileId of the Office add-in. +- **FileSize** File size of the Office add-in. +- **FriendlyName** Friendly name for office add-in. +- **FullPath** Unexpanded path to the office add-in. - **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Uint32 that describes the load behavior -- **OfficeApplication** The office application for this addin -- **OfficeArchitecture** Architecture of the addin -- **OfficeVersion** The office version for this addin -- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this addin -- **ProductCompany** The name of the company associated with the Office addin -- **ProductName** The product name associated with the Office addin -- **ProductVersion** The version associated with the Office addin -- **ProgramId** The unique program identifier of the Office addin -- **Provider** Name of the provider for this addin +- **LoadBehavior** Uint32 that describes the load behavior. +- **LoadTime** Load time for the office addin +- **OfficeApplication** The office application for this add-in. +- **OfficeArchitecture** Architecture of the add-in. +- **OfficeVersion** The office version for this add-in. +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Office add-in. +- **Provider** Name of the provider for this add-in. +- **Usage** Data regarding usage of the add-in. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove @@ -4015,6 +4301,7 @@ This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd e The following fields are available: +- **CensusId** A unique hardware identifier. - **ChecksumDictionary** A count of each operating system indicator. - **PCFP** Equivalent to the InventoryId field that is found in other core events. @@ -4091,6 +4378,60 @@ The following fields are available: ## OneDrive events +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState This event includes basic data about the installation state of dependent OneDrive components. @@ -4140,102 +4481,6 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - -### Microsoft.Windows.Kits.WSK.WskImageCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. - -The following fields are available: - -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskImageCustomization - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. - -The following fields are available: - -- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate - -This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. - -The following fields are available: - -- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. -- **OsEdition** The Operating System Edition that the workspace will target. -- **Phase** The image creation phase. Values are “Start” or “End”. -- **WskVersion** The version of the Windows System Kit being used. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General - -This event provides information about application properties to indicate the successful execution. - -The following fields are available: - -- **AppMode** Indicates the mode the app is being currently run around privileges. -- **ExitCode** Indicates the exit code of the app. -- **Help** Indicates if the app needs to be launched in the help mode. -- **ParseError** Indicates if there was a parse error during the execution. -- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. -- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. -- **TestMode** Indicates whether the app is being run in test mode. - - -### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount - -This event provides information about the properties of user accounts in the Administrator group. - -The following fields are available: - -- **Internal** Indicates the internal property associated with the count group. -- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. - - -### Microsoft.Xbox.XamTelemetry.AppActivationError - -This event indicates whether the system detected an activation error in the app. - -The following fields are available: - -- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. -- **AppId** The Xbox LIVE Title ID. -- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. -- **Result** The HResult error. -- **UserId** The Xbox LIVE User ID (XUID). - - -### Microsoft.Xbox.XamTelemetry.AppActivity - -This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - -The following fields are available: - -- **AppActionId** The ID of the application action. -- **AppCurrentVisibilityState** The ID of the current application visibility state. -- **AppId** The Xbox LIVE Title ID of the app. -- **AppPackageFullName** The full name of the application package. -- **AppPreviousVisibilityState** The ID of the previous application visibility state. -- **AppSessionId** The application session ID. -- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). -- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. -- **DurationMs** The amount of time (in milliseconds) since the last application state transition. -- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. -- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). -- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. -- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. -- **UserId** The XUID (Xbox User ID) of the current user. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -4292,6 +4537,17 @@ This event sends basic metadata about the update installation process generated +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + ### SetupPlatformTel.SetupPlatfOrmTelEvent This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. @@ -4388,6 +4644,36 @@ The following fields are available: - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + ### SoftwareUpdateClientTelemetry.Download Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). @@ -4478,6 +4764,58 @@ The following fields are available: - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + ### SoftwareUpdateClientTelemetry.Install This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. @@ -4494,6 +4832,7 @@ The following fields are available: - **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. - **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. - **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. @@ -4544,6 +4883,7 @@ The following fields are available: - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. - **TransactionCode** The ID that represents a given MSI installation. - **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. - **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -4669,6 +5009,37 @@ The following fields are available: - **WUDeviceID** The unique device ID controlled by the software distribution client. +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token. +- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** Validity window in effect when verifying the timestamp + + ## System Resource Usage Monitor events ### Microsoft.Windows.Srum.Sdp.CpuUsage @@ -5078,9 +5449,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -5218,9 +5589,9 @@ The following fields are available: - **FlightData** Specifies a unique identifier for each group of Windows Insider builds. - **InstanceId** Retrieves a unique identifier for each instance of a setup session. -- **Operation** Facilitator's last known operation (scan, download, etc.). +- **Operation** Facilitator’s last known operation (scan, download, etc.). - **ReportId** ID for tying together events stream side. -- **ResultCode** Result returned by Setup for the entire operation. +- **ResultCode** Result returned by setup for the entire operation. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). - **ScenarioId** Identifies the update scenario. - **TargetBranch** Branch of the target OS. @@ -5302,7 +5673,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -5356,8 +5727,597 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Windows Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **CategoryId** The Item Category ID. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The product family name of the product being installed. +- **ProductId** The identity of the package or packages being installed. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + ## Windows Update Delivery Optimization events +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -5380,6 +6340,20 @@ The following fields are available: - **sessionID** The ID of the download session. +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -5599,6 +6573,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel This event indicates that Windows Update activity was blocked due to low battery level. @@ -5611,6 +6597,47 @@ The following fields are available: - **wuDeviceid** Device ID. +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** Reason why the device could not check for updates. +- **detectionBlockingPolicy** State of update action. +- **detectionBlockreason** Reason for detection not completing. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The returned error code. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session was user initiated. +- **networkStatus** Error info +- **revisionNumber** Update revision number. +- **scanTriggerSource** Source of the triggered scan. +- **updateId** Update ID. +- **updateScenarioType** Update Session type +- **wuDeviceid** Device ID + + ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded This event indicates the reboot was postponed due to needing a display. @@ -5627,6 +6654,23 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. @@ -5695,7 +6739,7 @@ The following fields are available: - **revisionNumber** Revision number of the update. - **updateId** Update ID. - **updateScenarioType** The update session type. -- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.Indicates the exact state of the user experience at the time the required reboot was initiated. - **wuDeviceid** Unique device ID used by Windows Update. @@ -6025,21 +7069,21 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS The following fields are available: -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Number of mounted images. -- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT. -- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. -- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. -- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT. -- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan. -- **RelatedCV** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. - **WuId** Unique ID for the Windows Update client. @@ -6066,4 +7110,49 @@ The following fields are available: - **WuId** Unique ID for the Windows Update client. +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index cd8898c653..37a8b7a031 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -365,7 +365,7 @@ Use the appropriate value in the table below when you configure the management p | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | > [!NOTE] - > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. + > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. ### Use Group Policy to set the diagnostic data level diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 8952d30367..e1797ff113 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 11/9/2018 author: danihalfin ms.author: daniha --- @@ -309,33 +309,6 @@ The following fields are available: - **isTrustletRunning:** Indicates whether an enhanced security component is currently running - **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not -## Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys) -- **certThumbprint:** Certificate thumbprint - -## Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **caThumbprints:** Intermediate certificate thumbprints -- **rootThumbprint:** Root certificate thumbprint -- **serverName:** Server name associated with the certificate -- **serverThumbprint:** Server certificate thumbprint -- **statusBits:** Certificate status - -## Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys) -- **certThumbprint:** Certificate thumbprint - ## Microsoft.Windows.Security.Winlogon.SystemBootStop System boot has completed. @@ -437,5 +410,8 @@ A previous revision of this list stated that a field named PartA_UserSid was a m ### Office events added In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics. +### CertAnalytics events removed +In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 3 "CertAnalytics" events were removed, as they are no longer required for Windows Analytics. + >[!NOTE] >You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic. diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 4c786622c8..e830022a97 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -59,6 +59,9 @@ This setting determines the amount of Windows diagnostic data sent to Microsoft. >| **Default setting** | 2 - Enhanced | >| **Recommended** | 2 - Enhanced | +>[!NOTE] +>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. + #### Registry > [!div class="mx-tableFixed"] diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index c27c171f8d..53820f7491 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.date: 07/30/2018 +ms.date: 12/10/2018 --- # Local Accounts @@ -16,15 +16,8 @@ ms.date: 07/30/2018 This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller. -**Did you mean…** - -- [Active Directory Accounts](active-directory-accounts.md) - -- [Microsoft Accounts](microsoft-accounts.md) - ## About local user accounts - Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. This topic describes the following: @@ -475,14 +468,9 @@ Passwords can be randomized by: - Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools. -- Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789). +- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task. - **Note**   - This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage. - -   - -- Create and implement a custom script or solution to randomize local account passwords. +- Creating and implementing a custom script or solution to randomize local account passwords. ## See also diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 0836a4dfc0..89535ec25d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -22,7 +22,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png new file mode 100644 index 0000000000..9f9aea0f86 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg new file mode 100644 index 0000000000..f1c25c116c Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png new file mode 100644 index 0000000000..dfd30ba2a2 Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-security-center.png differ diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 3f71393153..50c63fd31c 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 10/03/2018 +ms.date: 12/08/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -65,11 +65,17 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required. -**To check if a device supports Kernel DMA Protection** +### Using Security Center + +Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. + +![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png) + +### Using System information 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar. 2. Check the value of **Kernel DMA Protection**. - ![Kernel DMA protection](bitlocker/images/kernel-dma-protection.png) + ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) 3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO: - Reboot into BIOS settings - Turn on Intel Virtualization Technology. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ff9215a0cb..d1c214ecbe 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -92,6 +92,7 @@ #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md) ##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) ##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md) +##### [Information protection in Windows overview](windows-defender-atp/information-protection-in-windows-overview.md) @@ -411,6 +412,7 @@ #### Configure Microsoft threat protection integration ##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) ##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md) +##### [Configure information protection in Windows](windows-defender-atp/information-protection-in-windows-config.md) diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png new file mode 100644 index 0000000000..6951e4ed5a Binary files /dev/null and b/windows/security/threat-protection/device-control/images/class-guids.png differ diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png new file mode 100644 index 0000000000..9017f289f6 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/hardware-ids.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index cad1984faf..eb9084b991 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool @@ -37,16 +37,20 @@ MpCmdRun.exe [command] [-options] Command | Description :---|:--- -\- ? **or** -h | Displays all available options for the tool -\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software -\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing -\-GetFiles | Collects support information -\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures -\-AddDynamicSignature [-Path] | Loads a dynamic signature -\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures -\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature -\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md) -\-SignatureUpdate [-UNC [-Path ]] | Checks for new definition updates +\-? **or** -h | Displays all available options​ for this tool​ +\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]]​ [-Timeout ]​ [-Cancel]​ | Scans for malicious software​ +\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing​ +\-GetFiles | Collects support information​ +\-GetFilesDiagTrack | Same as Getfiles but outputs to​ temporary DiagTrack folder​ +\-RemoveDefinitions [-All] | Restores the installed​ signature definitions​ to a previous backup copy or to​ the original default set of​ signatures​ +\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically​ downloaded signatures​ +\-SignatureUpdate [-UNC \| -MMPC] | Checks for new definition updates​ +\-Restore [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]] | Restores or list​s quarantined item(s)​ +\-AddDynamicSignature [-Path] | Loads a dynamic signature​ +\-ListAllDynamicSignatures | Lists the loaded dynamic signatures​ +\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature​ +\-CheckExclusion -path | Checks whether a path is excluded + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 8292217735..a9db1100c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure and validate exclusions based on file extension and folder location @@ -264,7 +264,7 @@ The following table describes how the wildcards can be used and provides some ex ## Review the list of exclusions -You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). >[!IMPORTANT] >Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). @@ -276,7 +276,18 @@ If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: @@ -290,7 +301,7 @@ In the following example, the items contained in the `ExclusionExtension` list a See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 320078778c..40785cfdec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure exclusions for files opened by processes @@ -147,14 +147,26 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: @@ -164,7 +176,7 @@ Get-MpPreference See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index d62ac289fe..d40f911f2e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure scheduled quick or full Windows Defender Antivirus scans @@ -42,7 +42,6 @@ To configure the Group Policy settings described in this topic: 6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. ## Quick scan versus full scan and custom scan @@ -66,6 +65,8 @@ A custom scan allows you to specify the files and folders to scan, such as a USB Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. +>[!NOTE] +>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time. **Use Group Policy to schedule scans:** diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 123f439d6f..8b71416a15 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -22,6 +22,7 @@ ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 689be7ba29..d85ed0d63b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -50,7 +50,7 @@ AppLocker helps administrators control how users can access and use files, such You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc). -### Administer Applocker using Group Policy +### Administer AppLocker using Group Policy You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md new file mode 100644 index 0000000000..b1018f5e79 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -0,0 +1,39 @@ +--- +title: Querying Application Control events centrally using Advanced hunting (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: mdsakibMSFT +ms.author: justinha +ms.date: 12/06/2018 +--- + +# Querying Application Control events centrally using Advanced hunting + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. +While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. + +In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. + +Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. +This capability is supported beginning with Windows version 1607. + +Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP: + +``` +MiscEvents +| where EventTime > ago(7d) and +ActionType startswith "AppControl" +| summarize Machines=dcount(ComputerName) by ActionType +| order by Machines desc +``` + +The query results can be used for several important functions related to managing WDAC including: + +- Assessing the impact of deploying policies in audit mode + Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode. +- Monitoring blocks from policies in enforced mode + Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 9ecf24c3a5..5e93dae32c 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -90,7 +90,8 @@ ### [Microsoft Threat Protection](threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) -#### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md) +#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) +#### [Information protection in Windows overview](information-protection-in-windows-overview.md) ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) @@ -411,7 +412,8 @@ ### Configure Microsoft Threat Protection integration #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) -#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md) +#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) +####[Configure information protection in Windows](information-protection-in-windows-config.md) ### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index b887fd19b7..a6cd39db1b 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/28/2018 +ms.date: 11/16/2018 --- # Configure advanced features in Windows Defender ATP @@ -89,7 +89,7 @@ Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud A >[!NOTE] >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. -## Azure information protection +## Azure Information Protection Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index a3ad4f5884..11646a76e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -59,7 +59,7 @@ To see a live example of these operators, run them as part of the **Get started* ## Access query language documentation -For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/). +For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language). ## Use exposed tables in Advanced hunting diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index da80f7bb7e..c7cfc039ad 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -50,7 +50,6 @@ detectionSource | string | Detection source. threatFamilyName | string | Threat family. title | string | Alert title. description | String | Description of the threat, identified by the alert. -recommendedAction | String | Action recommended for handling the suspected threat. alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. @@ -74,7 +73,6 @@ machineId | String | ID of a [machine](machine-windows-defender-advanced-threat- "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", "description": "Some description" - "recommendedAction": "Some recommended action" "alertCreationTime": "2018-11-26T16:19:21.8409809Z", "firstEventTime": "2018-11-26T16:17:50.0948658Z", "lastEventTime": "2018-11-26T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index 123a0bdfd0..3c9a28ceaf 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -26,7 +26,8 @@ ms.date: 11/20/2018 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) >[!TIP] -> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index e0c41580fa..a567b25209 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/19/2018 +ms.date: 12/06/2018 --- # Onboard Windows 10 machines using Mobile Device Management tools @@ -34,27 +34,10 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D ## Onboard machines using Microsoft Intune +Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). + For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). -### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher - -1. Login to the [Microsoft Azure portal](https://portal.azure.com). - -2. Select **Device Configuration > Profiles > Create profile**. - -3. Enter a **Name** and **Description**. - -4. For **Platform**, select **Windows 10 and later**. - -5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**. - -6. Configure the settings: - - **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service. - - **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis. - - **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently. - - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property. - -7. Select **OK**, and **Create** to save your changes, which creates the profile. > [!NOTE] > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 88f5545da4..b207613837 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -84,8 +84,8 @@ Content-Length: application/json "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "severity": "Low", "title": "test alert", - "description": "redalert", - "recommendedAction": "white alert", + "description": "test alert", + "recommendedAction": "test alert", "eventTime": "2018-08-03T16:45:21.7115183Z", "reportId": "20776", "category": "None" diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index fbe3783a63..9a87b74ae6 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/08/2018 +ms.date: 12/10/2018 --- # Enable SIEM integration in Windows Defender ATP @@ -20,20 +20,29 @@ ms.date: 10/08/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. +## Prerequisites +- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. +- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site. + +## Enabling SIEM integration 1. In the navigation pane, select **Settings** > **SIEM**. - ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png) + ![Image of SIEM integration from Settings menu](images/enable_siem.png) + + >[!TIP] + >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. - > [!WARNING] - >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
- For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + > [!WARNING] + >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + + ![Image of SIEM integration from Settings menu](images/siem_details.png) 3. Choose the SIEM type you use in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index 37c5a9f1d7..2c87e56309 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -100,8 +100,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-26T16:19:21.8409809Z", "firstEventTime": "2018-11-26T16:17:50.0948658Z", "lastEventTime": "2018-11-26T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index 88cda0c956..5c9436aefc 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -87,8 +87,7 @@ Here is an example of the response. "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-25T16:19:21.8409809Z", "firstEventTime": "2018-11-25T16:17:50.0948658Z", "lastEventTime": "2018-11-25T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 7cf854cf6f..9b0c1f4123 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -100,8 +100,7 @@ Here is an example of the response. "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-26T16:19:21.8409809Z", "firstEventTime": "2018-11-26T16:17:50.0948658Z", "lastEventTime": "2018-11-26T16:18:01.809871Z", @@ -121,8 +120,7 @@ Here is an example of the response. "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-25T16:19:21.8409809Z", "firstEventTime": "2018-11-25T16:17:50.0948658Z", "lastEventTime": "2018-11-25T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index 39c7ea3379..639c228caf 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -96,8 +96,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-25T16:19:21.8409809Z", "firstEventTime": "2018-11-25T16:17:50.0948658Z", "lastEventTime": "2018-11-25T16:18:01.809871Z", @@ -117,8 +116,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-24T16:19:21.8409809Z", "firstEventTime": "2018-11-24T16:17:50.0948658Z", "lastEventTime": "2018-11-24T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index b8db356dde..7f309c2d4b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -94,8 +94,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-26T16:19:21.8409809Z", "firstEventTime": "2018-11-26T16:17:50.0948658Z", "lastEventTime": "2018-11-26T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 601886b8ec..369f38ef43 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -93,8 +93,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-25T16:19:21.8409809Z", "firstEventTime": "2018-11-25T16:17:50.0948658Z", "lastEventTime": "2018-11-25T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 191f30cfc2..22e929fc9c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -93,8 +93,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-25T16:19:21.8409809Z", "firstEventTime": "2018-11-25T16:17:50.0948658Z", "lastEventTime": "2018-11-25T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index 1104afadfd..5cbdd37666 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -20,7 +20,8 @@ ms.date: 11/20/2018 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >[!TIP] -> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index 139d24daf4..f78eff0109 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -93,8 +93,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-25T16:19:21.8409809Z", "firstEventTime": "2018-11-25T16:17:50.0948658Z", "lastEventTime": "2018-11-25T16:18:01.809871Z", @@ -114,8 +113,7 @@ Content-type: application/json "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-24T16:19:21.8409809Z", "firstEventTime": "2018-11-24T16:17:50.0948658Z", "lastEventTime": "2018-11-24T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png new file mode 100644 index 0000000000..f66b75a274 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png new file mode 100644 index 0000000000..0148a800b2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png new file mode 100644 index 0000000000..ac8a62b883 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png new file mode 100644 index 0000000000..750bd6e459 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/siem_details.png b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png new file mode 100644 index 0000000000..94c724f0c8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md new file mode 100644 index 0000000000..b0644db04c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md @@ -0,0 +1,49 @@ +--- +title: Configure information protection in Windows +description: Learn how to expand the coverage of WIP to protect files based on their label, regardless of their origin. +keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/05/2018 +--- + +# Configure information protection in Windows +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. + +## Prerequisites +- Endpoints need to be on Windows 10, version 1809 or later +- You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection integration +- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports) + + +## Configuration steps +1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. +2. Define which labels need to get WIP protection in Office 365 Security and Compliance. + + 1. Go to: **Classifications > Labels**. + 2. Create a new label or edit an existing one. + 3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP. + + ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) + + 4. Repeat for every label that you want to get WIP applied to in Windows. + +After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them. + +>[!NOTE] +>- The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. +>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data. + +## Related topic +- [Information protection in Windows overview](information-protection-in-windows-overview.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md new file mode 100644 index 0000000000..b71095b5fc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md @@ -0,0 +1,95 @@ +--- +title: Information protection in Windows overview +description: Learn about how information protection works in Windows to identify and protect sensitive information +keywords: information, protection, dlp, wip, data, loss, prevention, protect +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/05/2018 +--- + +# Information protection in Windows overview +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. + + +Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. + + +Windows Defender ATP applies two methods to discover and protect data: +- **Data discovery** - Identify sensitive data on Windows devices at risk +- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label + + +## Data discovery +Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). + + +![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) + +After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection. + +The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard. + +### Azure Information Protection - Data discovery dashboard +This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint. + +![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) + + +Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Windows Defender ATP. + +Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. + + +>[!NOTE] +>Windows Defender ATP does not currently report the Information Types. + +### Log Analytics +Data discovery based on Windows Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. + +For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). + +Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). + +To view Windows Defender ATP data, perform a query that contains: + + +``` +InformationProtectionLogs_CL +| where Workload_s == "Windows Defender" +``` + +**Prerequisites:** +- Customers must have a subscription for Azure Information Protection. +- Enable Azure Information Protection integration in Windows Defender Security Center: + - Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**. + + +## Data protection +For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Windows Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. + + +When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). + + +![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) + +Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. + +This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. + +For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). + + +## Related topics +- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md index 6c225819b2..580d9cd88b 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -40,7 +40,7 @@ id | Guid | Identity of the [Machine Action](machineaction-windows-defender-adva type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" requestor | String | Identity of the person that executed the action. requestorComment | String | Comment that was written when issuing the action. -status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". +status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". machineId | String | Id of the machine on which the action was executed. creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index bcadd41d25..ba9be2d111 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -11,11 +11,11 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/19/2018 +ms.date: 10/19/2018 --- -# Configure Microsoft Cloud App Security integration +# Configure Microsoft Cloud App Security in Windows **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md index c18f430649..12da630b32 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -1,7 +1,7 @@ --- title: Microsoft Cloud App Security integration overview -description: -keywords: +description: Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage +keywords: cloud, app, networking, visibility, usage search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -11,10 +11,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/18/2018 +ms.date: 10/18/2018 --- -# Microsoft Cloud App Security integration overview +# Microsoft Cloud App Security in Windows overview **Applies to:** - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 498cf8a90c..09f32289a1 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -25,7 +25,8 @@ There are some minimum requirements for onboarding machines to the service. >[!TIP] -> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 0a0076523d..4fdcb667bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -58,9 +58,6 @@ Review the following details to verify minimum system requirements: >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - - >[!NOTE] - >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index d650cb05c1..83c00ed68b 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -22,7 +22,8 @@ ms.date: 11/20/2018 Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. >[!TIP] -> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## In this section diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index c51de1c5bf..f0d5d23e2f 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/05/2018 +ms.date: 12/03/2018 --- # Windows Defender ATP preview features @@ -39,6 +39,10 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: +- [Information protection](information-protection-in-windows-overview.md)
+Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. + + - [Incidents](incidents-queue.md)
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 1c6449106b..22404be54a 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -73,7 +73,7 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599" + "expires_in": "3599", "ext_expires_in": "0", "expires_on": "1488720683", "not_before": "1488720683", @@ -98,7 +98,7 @@ Authorization | string | Required. The Azure AD access token in the form **Beare ### Request parameters -Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization. +Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours. Name | Value| Description :---|:---|:--- @@ -106,7 +106,9 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

**NOTE**: When not specified, all alerts available in the time range will be retrieved. -machinegroups | String | Specifies machine groups to pull alerts from .

**NOTE**: When not specified, alerts from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` +machinegroups | String | Specifies machine groups to pull alerts from.

**NOTE**: When not specified, alerts from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` +DeviceCreatedMachineTags | string | Single machine tag from the registry. +CloudCreatedMachineTags | string | Machine tags that were created in Windows Defender Security Center. ### Request example The following example demonstrates how to retrieve all the alerts in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 6fff222564..724678dc82 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -236,7 +236,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba >This security control is only applicable for machines with Windows 10, version 1803 or later. #### Minimum baseline configuration setting for BitLocker -- Ensure all supported internal drives are encrypted +- Ensure all supported drives are encrypted - Ensure that all suspended protection on drives resume protection - Ensure that drives are compatible diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md index e0301cebc1..d837895ff9 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/12/2018 +ms.date: 12/03/2018 --- # Microsoft Threat Protection @@ -28,24 +28,30 @@ Microsoft's multiple layers of threat protection across data, applications, devi Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers. -## Conditional access -Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. - -## Office 365 Advanced Threat Protection (Office 365 ATP) -[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. - ## Azure Advanced Threat Protection (Azure ATP) Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. -## Skype for Business -The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. - ## Azure Security Center Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. +## Azure Information Protection +Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection. + +## Conditional access +Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. + + ## Microsoft Cloud App Security Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +## Office 365 Advanced Threat Protection (Office 365 ATP) +[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. + +## Skype for Business +The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. + + + ## Related topic - [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 4e69de458e..cfc99280d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -98,8 +98,7 @@ Here is an example of the response. "detectionSource": "WindowsDefenderAv", "threatFamilyName": "Mikatz", "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "recommendedAction": "Some recommended action" + "description": "Some description", "alertCreationTime": "2018-11-26T16:19:21.8409809Z", "firstEventTime": "2018-11-26T16:17:50.0948658Z", "lastEventTime": "2018-11-26T16:18:01.809871Z", diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index de7712091a..7f1f28e13e 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -68,7 +68,8 @@ Windows Defender ATP uses the following combination of technology built into Win >[!TIP] -> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). **[Attack surface reduction](overview-attack-surface-reduction.md)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index f04964a7cd..fc9d4153fb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -33,13 +33,13 @@ You can also get detailed reporting into events and blocks as part of Windows Se You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. -The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page. +The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. ### Import an existing XML custom view -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views: +1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml): - Controlled folder access events custom view: *cfa-events.xml* - Exploit protection events custom view: *ep-events.xml* - Attack surface reduction events custom view: *asr-events.xml* diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 34346b0e9c..12dd2d0312 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "trudyha", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",