diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index ce0912331a..6568445c8a 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,13 +1,13 @@
{
"redirections": [
{
-"source_path": "windows/deployment/update/waas-servicing-differences.md",
-"redirect_url": "https://docs.microsoft.com/windows/deployment/update/windows-as-a-service",
+"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md",
+"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview",
"redirect_document_id": true
},
{
-"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md",
-"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview",
+"source_path": "windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-containers-help-protect-windows",
"redirect_document_id": true
},
{
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 2e6455f840..46c4dda2d0 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -32,9 +32,9 @@ Booting from the network (PXE boot) is only supported when you use an Ethernet a
The following Ethernet devices are supported for network boot with Surface devices:
-- Surface USB to Ethernet adapter
+- Surface USB-C to Ethernet and USB 3.0 Adapter
-- Surface USB 3.0 Ethernet adapter
+- Surface USB 3.0 to Gigabit Ethernet Adapter
- Surface Dock
diff --git a/devices/surface/index.md b/devices/surface/index.md
index 20d2c00e79..e559820d25 100644
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@@ -31,6 +31,7 @@ For more information on planning for, deploying, and managing Surface devices in
| [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md) | Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device. |
| [Manage Surface UEFI settings](manage-surface-uefi-settings.md) | Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings. |
| [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) | See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization. |
+| [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | Learn how to investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. |
| [Surface Data Eraser](microsoft-surface-data-eraser.md) | Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices. |
| [Top support solutions for Surface devices](support-solutions-surface.md) | These are the top Microsoft Support solutions for common issues experienced using Surface devices in an enterprise. |
| [Change history for Surface documentation](change-history-for-surface.md) | This topic lists new and updated topics in the Surface documentation library. |
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 9397bb5aae..9b9cc1b64f 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -2785,7 +2785,7 @@ ADMX Info:
Supported values:
- Blank (default) - Load the pages specified in App settings as the default Start pages.
-- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets: \ \
+- String - Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets and comma: \,\
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 94e15bf96e..e258974ff4 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -288,7 +288,7 @@ The following list shows the supported values:
-Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
+Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
@@ -306,9 +306,9 @@ Determines the type of PIN or password required. This policy only applies if the
The following list shows the supported values:
-- 0 – Alphanumeric PIN or password required.
-- 1 – Numeric PIN or password required.
-- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password.
+- 0 – Password or Alphanumeric PIN required.
+- 1 – Password or Numeric PIN required.
+- 2 (default) – Password, Numeric PIN, or Alphanumeric PIN required.
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 88f01acdce..52fa2a92d0 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -17,6 +17,13 @@ ms.date: 11/07/2018
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## February 2019
+
+New or changed topic | Description
+--- | ---
+[Set up a single-app kiosk](kiosk-single-app.md) | Replaced instructions for Microsoft Intune with a link to the Intune documentation.
+[Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) | Replaced instructions for Intune with a link to the Intune documentation.
+
## January 2019
New or changed topic | Description
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 02c0137f83..e928698268 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -36,7 +36,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
-### Requirements
+## Requirements
>[!WARNING]
>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
@@ -50,7 +50,7 @@ Using Shell Launcher, you can configure a kiosk device that runs a Windows deskt
[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603)
-### Configure Shell Launcher
+## Configure Shell Launcher
To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell.
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 7c3e7243b9..64a3ca542a 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -238,30 +238,14 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
>
>Account type: Local standard user, Azure AD
-
+
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
>[!TIP]
>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp).
-The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider.
-
-**To configure kiosk in Microsoft Intune**
-
-2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
-3. Select **Device configuration**.
-4. Select **Profiles**.
-5. Select **Create profile**.
-6. Enter a friendly name for the profile.
-7. Select **Windows 10 and later** for the platform.
-8. Select **Device restrictions** for the profile type.
-9. Select **Kiosk**.
-10. In **Kiosk Mode**, select **Single app kiosk**.
-1. Enter the user account (Azure AD or a local standard user account).
-11. Enter the Application User Model ID for an installed app.
-14. Select **OK**, and then select **Create**.
-18. Assign the profile to a device group to configure the devices in that group as kiosks.
+To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index caa9d860ab..b927ef5c8e 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -46,30 +46,7 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
## Configure a kiosk in Microsoft Intune
-1. [Generate the Start layout for the kiosk device.](#startlayout)
-2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
-3. Select **Device configuration**.
-4. Select **Profiles**.
-5. Select **Create profile**.
-6. Enter a friendly name for the profile.
-7. Select **Windows 10 and later** for the platform.
-8. Select **Kiosk (Preview)** for the profile type.
-9. Select **Kiosk - 1 setting available**.
-10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
-12. Enter a friendly name for the configuration.
-10. In **Kiosk Mode**, select **Multi app kiosk**.
-13. Select an app type.
- - For **Add Win32 app**, enter a friendly name for the app in **App Name**, and enter the path to the app executable in **Identifier**.
- - For **Add managed apps**, select an app that you manage through Intune.
- - For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
-14. Select whether to enable the taskbar.
-15. Browse to and select the Start layout XML file that you generated in step 1.
-16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available.
-17. Select **OK**. You can add additional configurations or finish.
-18. Assign the profile to a device group to configure the devices in that group as kiosks.
-
->[!NOTE]
->Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription.
+To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows).
## Configure a kiosk using a provisioning package
@@ -178,7 +155,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
-- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
+- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
@@ -674,4 +651,4 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont
## Other methods
-Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md).
\ No newline at end of file
+Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md).
diff --git a/windows/deployment/update/images/security-only-update.png b/windows/deployment/update/images/security-only-update.png
new file mode 100644
index 0000000000..9ed3d0f791
Binary files /dev/null and b/windows/deployment/update/images/security-only-update.png differ
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index d87885e183..e4efb40317 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -7,7 +7,6 @@ ms.sitesec: library
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 11/16/2018
---
# Configure Windows Update for Business
@@ -17,6 +16,8 @@ ms.date: 11/16/2018
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
+- Windows Server 2019
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index d1fbc267eb..ba0843abc3 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -16,6 +16,8 @@ ms.author: jaimeo
- Windows 10
- Windows 10 Mobile
+- Windows Server 2016
+- Windows Server 2019
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
new file mode 100644
index 0000000000..27e3799565
--- /dev/null
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -0,0 +1,115 @@
+---
+title: Servicing differences between Windows 10 and older operating systems
+description: Learn the differences between servicing Windows 10 and servicing older operating systems.
+keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: KarenSimWindows
+ms.localizationpriority: medium
+ms.author: karensim
+---
+# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
+
+>Applies to: Windows 10
+
+>**February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.**
+
+Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates.
+
+The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2).
+
+>[!NOTE]
+>A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc.
+
+## Infinite fragmentation
+Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates.
+
+As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
+
+This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
+
+## Windows 10 – Next generation
+Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
+
+This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
+
+Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
+
+
+
+*Figure 1.0 - High level cumulative update model*
+
+Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
+
+This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10.
+
+### Points to consider
+
+- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new.
+- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.)
+- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
+- For Windows 10, available update types vary by publishing channel:
+ - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
+ - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this example for Windows 10, version 1709) For more information on Servicing Stack Updates, please see this blog.
+ - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
+- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
+
+## Windows 7 and legacy OS versions
+While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016.
+
+Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
+
+The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
+
+
+*Figure 2.0 - Legacy OS security-only update model*
+
+Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
+
+### Points to consider
+- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
+- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.)
+- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security required" updates, because both have the full set of security updates in them. The Monthly Rollup may have additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed.
+- Given the differences between the cumulative Monthly Rollups and the single-month Security-only update packages, switching between these update types is not advised. Differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type with high consistency – Monthly Rollup or Security-only – is recommended.
+- With all Legacy OS versions now in the Extended Support stage of their 10-year lifecycle, they typically receive only security updates for both Monthly Rollup and Security Only updates. Using Express for the Monthly Rollup results in almost the same package size as Security Only, with the added confidence of ensuring all relevant updates are installed.
+- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback.
+- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup.
+- [Updates for .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated.
+- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
+
+## Public preview releases
+Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
+
+### Examples
+Windows 10 version 1709:
+- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot.
+- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required.
+- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
+All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models.
+
+
+*Figure 3.0 - Preview releases within the Windows 10 LCU model*
+
+## Previews vs. on-demand releases
+In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
+
+As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
+
+### Point to consider
+- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
+- Rarely do incidents with Update Tuesday releases impact more than .1% of the total population. With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however.
+- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices.
+- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way.
+
+In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure.
+
+## Resources
+- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530)
+- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772)
+- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783)
+- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/)
+- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798)
+- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/)
+- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376)
+- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434)
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
index 31b15c1429..c11042619d 100644
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -195,7 +195,7 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that
> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries.
### Device names not appearing for Windows 10 devices
-Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
+Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates.
### Disable Upgrade Readiness
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index 11b2b08514..849127c525 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -163,7 +163,7 @@ These policies are under Microsoft\Windows\DataCollection:
| CommercialId | In order for your devices to show up in Windows Analytics, they must be configured with your organization’s Commercial ID. |
| AllowTelemetry (in Windows 10) | 1 (Basic), 2 (Enhanced) or 3 (Full) diagnostic data. Windows Analytics will work with basic diagnostic data, but more features are available when you use the Enhanced level (for example, Device Health requires Enhanced diagnostic data and Upgrade Readiness only collects app usage and site discovery data on Windows 10 devices with Enhanced diagnostic data). For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). |
| LimitEnhancedDiagnosticDataWindowsAnalytics (in Windows 10) | Only applies when AllowTelemetry=2. Limits the Enhanced diagnostic data events sent to Microsoft to just those needed by Windows Analytics. For more information, see [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields).|
-| AllowDeviceNameInTelemetry (in Windows 10) | In Windows 10, version 1803, a separate opt-in is required to enable devices to continue to send the device name. |
+| AllowDeviceNameInTelemetry (in Windows 10) | In Windows 10, version 1803, a separate opt-in is required to enable devices to continue to send the device name. Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. |
| CommercialDataOptIn (in Windows 7 and Windows 8) | 1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 9f15d874d2..25472e32ba 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -24,6 +24,7 @@ Everyone wins when transparency is a top priority. We want you to know when upda
The latest news:
+- Windows Update for Business and the retirement of SAC-T - February 14, 2019
- Application compatibility in the Windows ecosystem - January 15, 2019
- Windows monthly security and quality updates overview - January 10, 2019
- Driver quality in the Windows ecosystem - December 19, 2018
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 638a2ff2e1..c4202da9c9 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -103,10 +103,10 @@ If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_M
You may choose to apply a rule to permit HTTP RANGE requests for the following URLs:
*.download.windowsupdate.com
-*.au.windowsupdate.com
-*.tlu.dl.delivery.mp.microsoft.com
+*.dl.delivery.mp.microsoft.com
+*.emdl.ws.microsoft.com
-If you cannot permit RANGE requests, you can configure a Group Policy or MDM Policy setting that will bypass Delivery Optimization and use BITS instead.
+If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work).
## The update is not applicable to your computer
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index afefc6519e..e363b4d807 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
-ms.date: 03/30/2018
ms.localizationpriority: medium
---
@@ -22,7 +21,7 @@ ms.localizationpriority: medium
If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process.
-Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase.
+Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100.
These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index e9b94e674c..469b80ff01 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -8,7 +8,6 @@ ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mobile
author: greg-lindsay
-ms.date: 10/25/2018
---
# Windows 10 edition upgrade
@@ -24,7 +23,7 @@ For a list of operating systems that qualify for the Windows 10 Pro Upgrade or W
The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
-Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuratio Manager.
+Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuration Manager.
 (X) = not supported
 (green checkmark) = supported, reboot required
@@ -59,7 +58,6 @@ X = unsupported
| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
| **Pro Education > Education** |  |  |  | 
(MSfB) |  |  |
| **Enterprise > Education** |  |  |  | 
(MSfB) |  |  |
-| **Enterprise LTSC > Enterprise** |  |  |  | 
(MSfB) |  |  |
| **Mobile > Mobile Enterprise** |  | |  |  |  |  |
> [!NOTE]
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index c4d8887279..91d6394973 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -7,7 +7,6 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: mobile
author: greg-lindsay
-ms.date: 07/06/2018
---
# Windows 10 upgrade paths
@@ -24,7 +23,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
->In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later.
+>In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup).
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md
index e47d792388..5a5dcf695d 100644
--- a/windows/deployment/windows-autopilot/registration-auth.md
+++ b/windows/deployment/windows-autopilot/registration-auth.md
@@ -39,7 +39,7 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
- Select the checkbox indicating whether or not you want delegated admin rights:
- - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in tihs document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
+ - NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/en-us/partner-center/customers_revoke_admin_privileges
- Send the template above to the customer via email.
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index e8a141004f..68138d4b86 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -18,7 +18,7 @@ ms.author: greg-lindsay
Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection).
-Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, levering the enrollment status page to prevent access to the desktop until the device is fully provisioned.
+Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned.
>[!NOTE]
>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
index ff491c2f9d..260b773472 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
@@ -41,11 +41,11 @@ In environments that have more restrictive internet access, or for those that re
- NOTE: If Windows Update is inaccessible, the AutoPilot process will still continue.
-- **Delivery Optimization.** When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices don’t need to download it from the internet.
+- **Delivery Optimization.** When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
-
- - NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue.
+ - NOTE: If Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
- **Network Time Protocol (NTP) Sync.** When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate.
@@ -79,4 +79,4 @@ In environments that have more restrictive internet access, or for those that re
- (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above)
-- **Certificate revocation lists (CRLs).** Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented in the Office documentation at and .
\ No newline at end of file
+- **Certificate revocation lists (CRLs).** Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services. A full list of these is documented in the Office documentation at and .
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 79ef8ac888..05bbed9fe0 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.author: brianlic
-ms.date: 12/27/2018
+ms.date: 02/15/2019
---
@@ -65,11 +65,12 @@ The following fields are available:
- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows
- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows
- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows
-- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
-- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
-- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
+- **SystemProcessorSse2** The total number of objects of this type present on this device.
+- **SystemWim** The total number of objects of this type present on this device.
- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows
-- **SystemWlan** The count of InventoryApplicationFile objects present on this machine.
+- **SystemWlan** The total number of objects of this type present on this device.
- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
@@ -475,7 +476,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
The following fields are available:
@@ -1270,7 +1271,7 @@ This event sends version data about the Apps running on this device, to help kee
The following fields are available:
- **CensusVersion** The version of Census that generated the current data for this device.
-- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
+- **IEVersion** The version of Internet Explorer that is running on the device.
### Census.Battery
@@ -1757,6 +1758,20 @@ The following fields are available:
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+## Component-based Servicing events
+
+### CbsServicingProvider.CbsCapabilitySessionFinalize
+
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+
+
+
+### CbsServicingProvider.CbsCapabilitySessionPended
+
+This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date.
+
+
+
## Content Delivery Manager events
### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent
@@ -1827,6 +1842,7 @@ The following fields are available:
- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save.
- **LastBugCheckOtherSettings** Other crash dump settings.
- **LastBugCheckParameter1** The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress** Progress towards writing out the last crash dump.
- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown.
- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released").
- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed").
@@ -1841,7 +1857,7 @@ The following fields are available:
- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
- **TransitionInfoBootId** The Boot ID of the captured transition information.
- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved.
-- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited").
+- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited").
- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered").
- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved.
- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp.
@@ -1890,7 +1906,7 @@ The following fields are available:
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
-- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **CanReportScenarios** True if we can report scenario completions, false otherwise.
- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
@@ -2017,6 +2033,80 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
+## Failover Clustering events
+
+### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
+
+This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations.
+
+The following fields are available:
+
+- **autoAssignSite** The cluster parameter: auto site.
+- **autoBalancerLevel** The cluster parameter: auto balancer level.
+- **autoBalancerMode** The cluster parameter: auto balancer mode.
+- **blockCacheSize** The configured size of the block cache.
+- **ClusterAdConfiguration** The ad configuration of the cluster.
+- **clusterAdType** The cluster parameter: mgmt_point_type.
+- **clusterDumpPolicy** The cluster configured dump policy.
+- **clusterFunctionalLevel** The current cluster functional level.
+- **clusterGuid** The unique identifier for the cluster.
+- **clusterWitnessType** The witness type the cluster is configured for.
+- **countNodesInSite** The number of nodes in the cluster.
+- **crossSiteDelay** The cluster parameter: CrossSiteDelay.
+- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold.
+- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay.
+- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold.
+- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters.
+- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters.
+- **csvResourceCount** The number of resources in the cluster.
+- **currentNodeSite** The name configured for the current site for the cluster.
+- **dasModeBusType** The direct storage bus type of the storage spaces.
+- **downLevelNodeCount** The number of nodes in the cluster that are running down-level.
+- **drainOnShutdown** Specifies whether a node should be drained when it is shut down.
+- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled.
+- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity.
+- **genAppNames** The win32 service name of a clustered service.
+- **genSvcNames** The command line of a clustered genapp.
+- **hangRecoveryAction** The cluster parameter: hang recovery action.
+- **hangTimeOut** Specifies the “hang time out” parameter for the cluster.
+- **isCalabria** Specifies whether storage spaces direct is enabled.
+- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes.
+- **isRunningDownLevel** Identifies if the current node is running down-level.
+- **logLevel** Specifies the granularity that is logged in the cluster log.
+- **logSize** Specifies the size of the cluster log.
+- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID.
+- **minNeverPreempt** The cluster parameter: minimum never preempt.
+- **minPreemptor** The cluster parameter: minimum preemptor priority.
+- **netftIpsecEnabled** The parameter: netftIpsecEnabled.
+- **NodeCount** The number of nodes in the cluster.
+- **nodeId** The current node number in the cluster.
+- **nodeResourceCounts** Specifies the number of node resources.
+- **nodeResourceOnlineCounts** Specifies the number of node resources that are online.
+- **numberOfSites** The number of different sites.
+- **numNodesInNoSite** The number of nodes not belonging to a site.
+- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes.
+- **preferredSite** The preferred site location.
+- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster.
+- **quarantineDuration** The quarantine duration.
+- **quarantineThreshold** The quarantine threshold.
+- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period.
+- **resiliencyLevel** Specifies the level of resiliency.
+- **resourceCounts** Specifies the number of resources.
+- **resourceTypeCounts** Specifies the number of resource types in the cluster.
+- **resourceTypes** Data representative of each resource type.
+- **resourceTypesPath** Data representative of the DLL path for each resource type.
+- **sameSubnetDelay** The cluster parameter: same subnet delay.
+- **sameSubnetThreshold** The cluster parameter: same subnet threshold.
+- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
+- **securityLevel** The cluster parameter: security level.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
+- **upNodeCount** Specifies the number of nodes that are up (online).
+- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
+- **vmIsolationTime** The cluster parameter: VM isolation time.
+- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database.
+
+
## Fault Reporting events
### Microsoft.Windows.FaultReporting.AppCrashEvent
@@ -2227,6 +2317,30 @@ The following fields are available:
- **Version** The version number of the program.
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs.
+
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on.
+
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+
+
+
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
@@ -2378,33 +2492,34 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **Class** The device setup class of the driver loaded for the device
-- **ClassGuid** The device class GUID from the driver package
-- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device. See [COMPID](#compid).
-- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
-- **Description** The device description
-- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
-- **DriverId** A unique identifier for the installed device.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device class unique identifier of the driver package loaded on the device.
+- **COMPID** The list of “Compatible IDs” for this device. See [COMPID](#compid).
+- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to.
+- **Description** The description of the device.
+- **DeviceState** Identifies the current state of the parent (main) device.
+- **DriverId** The unique identifier for the installed driver.
- **DriverName** The name of the driver image file.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
- **DriverVerDate** The date of the driver loaded for the device
- **DriverVerVersion** The version of the driver loaded for the device
-- **Enumerator** The bus that enumerated the device
-- **HWID** A JSON array that provides the value and order of the HWID tree for the device. See [HWID](#hwid).
-- **Inf** The INF file name.
-- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
-- **InventoryVersion** The version of the inventory file generating the events.
-- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
-- **LowerFilters** Lower filter drivers IDs installed for the device
-- **Manufacturer** The device manufacturer
-- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance
-- **Model** The device model
-- **ParentId** Device instance id of the parent of the device
-- **ProblemCode** The current error code for the device.
-- **Provider** The device provider
-- **Service** The device service name
-- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device. See [STACKID](#stackid).
-- **UpperClassFilters** Upper filter class drivers IDs installed for the device
-- **UpperFilters** Upper filter drivers IDs installed for the device
+- **Enumerator** Identifies the bus that enumerated the device.
+- **HWID** A list of hardware IDs for the device. See [HWID](#hwid).
+- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** The version number of the inventory process generating the events.
+- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
+- **LowerFilters** The identifiers of the Lower filters installed for the device.
+- **Manufacturer** The manufacturer of the device.
+- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance.
+- **Model** Identifies the model of the device.
+- **ParentId** The Device Instance ID of the parent of the device.
+- **ProblemCode** The error code currently returned by the device, if applicable.
+- **Provider** Identifies the device provider.
+- **Service** The name of the device service.
+- **STACKID** The list of hardware IDs for the stack. See [STACKID](#stackid).
+- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device.
+- **UpperFilters** The identifiers of the Upper filters installed for the device.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
@@ -2429,6 +2544,18 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device.
+
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+
+
+
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
This event provides the basic metadata about driver binaries running on the system.
@@ -2567,6 +2694,18 @@ This event provides insight data on the installed Office products
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
+
+This diagnostic event indicates that a new sync is being generated for this object type.
+
+
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
Describes Office Products installed.
@@ -2591,6 +2730,18 @@ Indicates a new sync is being generated for this object type.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
@@ -3215,6 +3366,12 @@ The following fields are available:
- **Time** The system time at which the event began.
+### Microsoft.Windows.Sediment.Info.DetailedState
+
+This event is sent when detailed state information is needed from an update trial run.
+
+
+
### Microsoft.Windows.Sediment.Info.DownloadServiceError
This event provides information when the Download Service returns an error. The information provided helps keep Windows up to date.
@@ -3394,6 +3551,17 @@ The following fields are available:
- **Url** The new URL from which content will be executed.
+### Microsoft.Windows.Sediment.OSRSS.SelfUpdate
+
+This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The major version number for the component.
+- **ServiceVersionMinor** The minor version number for the component.
+- **Time** The system timestamp for when the event occurred.
+
+
### Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
@@ -3408,6 +3576,17 @@ The following fields are available:
- **Time** System timestamp the event was fired
+### Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
+
+This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed.
+
+The following fields are available:
+
+- **CheckName** The name of the applicability check that failed.
+- **InstallerVersion** The version information for the installer component.
+- **Time** The system timestamp for when the event occurred.
+
+
### Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update to itself. This information helps ensure Windows is up to date.
@@ -3855,6 +4034,26 @@ The following fields are available:
- **threadId** The ID of the thread on which the activity is executing.
+## SIH events
+
+### SIHEngineTelemetry.EvalApplicability
+
+This event is sent when targeting logic is evaluated to determine if a device is eligible a given action.
+
+
+
+### SIHEngineTelemetry.ExecuteAction
+
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+
+
+
+### SIHEngineTelemetry.PostRebootReport
+
+This event reports the status of an action following a reboot, should one have been required.
+
+
+
## Software update events
### SoftwareUpdateClientTelemetry.CheckForUpdates
@@ -3977,36 +4176,36 @@ The following fields are available:
- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
-- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **AppXDownloadScope** Indicates the scope of the download for application content.
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
- **BiosReleaseDate** The release date of the device BIOS.
-- **BiosSKUNumber** The sku number of the device BIOS.
+- **BiosSKUNumber** The SKU number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
+- **BundleId** Identifier associated with the specific content bundle.
- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable.
+- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client.
+- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download.
- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
- **ClientVersion** The version number of the software distribution client.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **DeviceModel** What is the device model.
-- **DeviceOEM** What OEM does this device belong to.
+- **DeviceModel** The model of the device.
+- **DeviceOEM** Identifies the Original Equipment Manufacturer (OEM) of the device.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
-- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
-- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
-- **Edition** Indicates the edition of Windows being used.
+- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
+- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads.
+- **Edition** Identifies the edition of Windows currently running on the device.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
-- **EventType** Possible values are Child, Bundle, or Driver.
+- **EventNamespaceID** The ID of the test events environment.
+- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
+- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
@@ -4016,39 +4215,39 @@ The following fields are available:
- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **HostName** The hostname URL the content is downloading from.
+- **HostName** The parent URL the content is downloading from.
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
-- **IsAOACDevice** Is it Always On, Always Connected?
+- **IsAOACDevice** Indicates whether the device is an Always On, Always Connected (AOAC) device.
- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkCostBitMask** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
- **PackageFullName** The package name of the content.
- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
-- **PlatformRole** The PowerPlatformRole as defined on MSDN
+- **PlatformRole** The role of the OS platform (Desktop, Mobile, Workstation, etc.).
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector.
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
-- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **RevisionNumber** The revision number of the specified piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
+- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package.
- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
-- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded.
- **UpdateId** An identifier associated with the specific piece of content.
- **UpdateID** An identifier associated with the specific piece of content.
-- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **UsedDO** Whether the download used the delivery optimization service.
+- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional.
+- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
- **WUSetting** Indicates the users' current updating settings.
@@ -4221,7 +4420,7 @@ The following fields are available:
- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
- **ExtendedStatusCode** The secondary status code of the event.
-- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
@@ -4232,7 +4431,7 @@ The following fields are available:
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
+- **SHA256OfTimestampToken** An encoded string of the timestamp token.
- **SignatureAlgorithm** The hash algorithm for the metadata signature.
- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
- **StatusCode** The status code of the event.
@@ -4452,6 +4651,22 @@ The following fields are available:
- **UpdateId** Unique ID for each update.
+### Update360Telemetry.UpdateAgentCommit
+
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
@@ -4483,6 +4698,26 @@ The following fields are available:
- **UpdateId** Unique ID for each Update.
+### Update360Telemetry.UpdateAgentExpand
+
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ElapsedTickCount** Time taken for expand phase.
+- **EndFreeSpace** Free space after expand phase.
+- **EndSandboxSize** Sandbox size after expand phase.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **StartFreeSpace** Free space before expand phase.
+- **StartSandboxSize** Sandbox size after expand phase.
+- **UpdateId** Unique ID for each update.
+
+
### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
@@ -4501,6 +4736,22 @@ The following fields are available:
- **UpdateId** Unique ID for each update.
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **ObjectId** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** The result for the current install phase.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
### Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
@@ -4578,6 +4829,18 @@ The following fields are available:
## Upgrade events
+### FacilitatorTelemetry.DCATDownload
+
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+
+
+
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+
+
+
### Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
@@ -4865,7 +5128,7 @@ The following fields are available:
- **RebootReason** Reason for the reboot.
-## Microsoft Store events
+## Windows Store events
### Microsoft.Windows.Store.Partner.ReportApplication
@@ -5623,17 +5886,17 @@ This event indicates that a scan for a Windows Update occurred.
The following fields are available:
-- **deferReason** Reason why the device could not check for updates.
-- **detectionBlockreason** Reason for detection not completing.
+- **deferReason** The reason why the device could not check for updates.
+- **detectionBlockreason** The reason detection did not complete.
- **detectionDeferreason** A log of deferral reasons for every update state.
-- **errorCode** The returned error code.
+- **errorCode** The error code returned for the current process.
- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **flightID** The specific ID of the Windows Insider build the device is getting.
-- **interactive** Indicates whether the session was user initiated.
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **updateScenarioType** The update session type.
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
+- **interactive** Indicates whether the user initiated the session.
+- **revisionNumber** The Update revision number.
+- **updateId** The unique identifier of the Update.
+- **updateScenarioType** Identifies the type of update session being performed.
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.Download
@@ -5696,7 +5959,7 @@ The following fields are available:
- **deferReason** Reason for install not completing.
- **errorCode** The error code reppresented by a hexadecimal value.
- **eventScenario** End-to-end update session ID.
-- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **flightID** The ID of the Windows Insider build the device is getting.
- **flightUpdate** Indicates whether the update is a Windows Insider build.
- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
@@ -5741,14 +6004,26 @@ This event is sent after a Windows update install completes.
The following fields are available:
-- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **bundleId** Identifier associated with the specific content bundle.
+- **batteryLevel** Current battery capacity in megawatt-hours (mWh) or percentage left.
+- **bundleId** The unique identifier associated with the specific content bundle.
- **bundleRevisionnumber** Identifies the revision number of the content bundle.
- **errorCode** The error code returned for the current phase.
- **eventScenario** State of update action.
-- **flightID** Unique update ID.
+- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **sessionType** The Windows Update session type (Interactive or Background).
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **wuDeviceid** The unique device identifier used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
+
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
+
+The following fields are available:
+
+- **powermenuNewOptions** The new options after the power menu changed.
+- **powermenuOldOptions** The old options before the power menu changed.
+- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to a update, this indicates how long that reboot has been pending.
+- **wuDeviceid** The device ID recorded by Windows Update if the power menu changed because a reboot is pending due to an update.
### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
@@ -5953,7 +6228,7 @@ The following fields are available:
- **revisionNumber** Revision number of the OS.
- **scheduledRebootTime** Time scheduled for the reboot.
- **updateId** Identifies which update is being scheduled.
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
@@ -5985,12 +6260,44 @@ The following fields are available:
## Windows Update mitigation events
+### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
+
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
+
+The following fields are available:
+
+- **ClientId** The client ID used by Windows Update.
+- **FlightId** The ID of each Windows Insider build the device received.
+- **InstanceId** A unique device ID that identifies each update instance.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **MountedImageCount** The number of mounted images.
+- **MountedImageMatches** The number of mounted image matches.
+- **MountedImagesFailed** The number of mounted images that could not be removed.
+- **MountedImagesRemoved** The number of mounted images that were successfully removed.
+- **MountedImagesSkipped** The number of mounted images that were not found.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Windows Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
### Mitigation360Telemetry.MitigationCustom.FixupEditionId
This event sends data specific to the FixupEditionId mitigation used for OS Updates.
+## Windows Update Reserve Manager events
+
+### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
+
+
+
## Winlogon events
### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 63376e03ed..e6461d30e4 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.author: brianlic
-ms.date: 12/13/2018
+ms.date: 02/15/2019
---
@@ -46,15 +46,14 @@ Invalid Signature - This event is superseded by an event that contains additiona
The following fields are available:
-- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **DatasourceApplicationFile_RS4** An ID for the system, calculated by hashing hardware identifiers.
- **DatasourceDevicePnp_RS4** An ID for the system, calculated by hashing hardware identifiers.
- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device.
@@ -62,26 +61,24 @@ The following fields are available:
- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
-- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
- **InventorySystemBios** The count of the number of this particular object type present on this device.
-- **InventoryTest** The count of the number of this particular object type present on this device.
- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
- **PCFP** An ID for the system, calculated by hashing hardware identifiers.
-- **SystemMemory** The count of SystemMemory objects present on this machine.
+- **SystemMemory** The count of the number of this particular object type present on this device.
- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
-- **SystemProcessorNx** The count of SystemProcessorNx objects present on this machine.
-- **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine.
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine.
-- **SystemTouch** The count of SystemTouch objects present on this machine.
-- **SystemWim** The count of SystemWim objects present on this machine.
-- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine.
-- **SystemWlan** The count of the number of this particular object type present on this device.
-- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **SystemTouch** The count of the number of this particular object type present on this device.
+- **SystemWim** The total number of objects of this type present on this device.
+- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
+- **SystemWlan** The total number of objects of this type present on this device.
- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
@@ -506,7 +503,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -625,6 +622,7 @@ The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios.
- **HasBiosBlock** Does the device have a BIOS block?
@@ -885,6 +883,7 @@ The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
- **Time** The client time of the event.
@@ -1339,7 +1338,7 @@ The following fields are available:
- **AppraiserTaskExitCode** The Appraiser task exist code.
- **AppraiserTaskLastRun** The last runtime for the Appraiser task.
- **CensusVersion** The version of Census that generated the current data for this device.
-- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
+- **IEVersion** The version of Internet Explorer that is running on the device.
### Census.Battery
@@ -1539,20 +1538,20 @@ Provides information on several important data points about Processor settings
The following fields are available:
-- **KvaShadow** Microcode info of the processor.
+- **KvaShadow** This is the micro code information of the processor.
- **MMSettingOverride** Microcode setting of the processor.
- **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture.
-- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
-- **ProcessorCores** Retrieves the number of cores in the processor.
-- **ProcessorIdentifier** The processor identifier of a manufacturer.
-- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer.
-- **ProcessorModel** Retrieves the name of the processor model.
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed** Clock speed of the processor in MHz.
+- **ProcessorCores** Number of logical cores in the processor.
+- **ProcessorIdentifier** Processor Identifier of a manufacturer.
+- **ProcessorManufacturer** Name of the processor manufacturer.
+- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
-- **ProcessorUpdateRevision** Retrieves the processor architecture of the installed operating system.
+- **ProcessorUpdateRevision** The microcode revision.
- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
-- **SocketCount** Number of physical CPU sockets of the machine.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+- **SocketCount** Count of CPU sockets.
+- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Security
@@ -2016,6 +2015,81 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
+## Failover Clustering events
+
+### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
+
+This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations.
+
+The following fields are available:
+
+- **autoAssignSite** The cluster parameter: auto site.
+- **autoBalancerLevel** The cluster parameter: auto balancer level.
+- **autoBalancerMode** The cluster parameter: auto balancer mode.
+- **blockCacheSize** The configured size of the block cache.
+- **ClusterAdConfiguration** The ad configuration of the cluster.
+- **clusterAdType** The cluster parameter: mgmt_point_type.
+- **clusterDumpPolicy** The cluster configured dump policy.
+- **clusterFunctionalLevel** The current cluster functional level.
+- **clusterGuid** The unique identifier for the cluster.
+- **clusterWitnessType** The witness type the cluster is configured for.
+- **countNodesInSite** The number of nodes in the cluster.
+- **crossSiteDelay** The cluster parameter: CrossSiteDelay.
+- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold.
+- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay.
+- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold.
+- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters.
+- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters.
+- **csvResourceCount** The number of resources in the cluster.
+- **currentNodeSite** The name configured for the current site for the cluster.
+- **dasModeBusType** The direct storage bus type of the storage spaces.
+- **downLevelNodeCount** The number of nodes in the cluster that are running down-level.
+- **drainOnShutdown** Specifies whether a node should be drained when it is shut down.
+- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled.
+- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity.
+- **genAppNames** The win32 service name of a clustered service.
+- **genSvcNames** The command line of a clustered genapp.
+- **hangRecoveryAction** The cluster parameter: hang recovery action.
+- **hangTimeOut** Specifies the “hang time out” parameter for the cluster.
+- **isCalabria** Specifies whether storage spaces direct is enabled.
+- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes.
+- **isRunningDownLevel** Identifies if the current node is running down-level.
+- **logLevel** Specifies the granularity that is logged in the cluster log.
+- **logSize** Specifies the size of the cluster log.
+- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID.
+- **minNeverPreempt** The cluster parameter: minimum never preempt.
+- **minPreemptor** The cluster parameter: minimum preemptor priority.
+- **netftIpsecEnabled** The parameter: netftIpsecEnabled.
+- **NodeCount** The number of nodes in the cluster.
+- **nodeId** The current node number in the cluster.
+- **nodeResourceCounts** Specifies the number of node resources.
+- **nodeResourceOnlineCounts** Specifies the number of node resources that are online.
+- **numberOfSites** The number of different sites.
+- **numNodesInNoSite** The number of nodes not belonging to a site.
+- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes.
+- **preferredSite** The preferred site location.
+- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster.
+- **quarantineDuration** The quarantine duration.
+- **quarantineThreshold** The quarantine threshold.
+- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period.
+- **resiliencyLevel** Specifies the level of resiliency.
+- **resourceCounts** Specifies the number of resources.
+- **resourceTypeCounts** Specifies the number of resource types in the cluster.
+- **resourceTypes** Data representative of each resource type.
+- **resourceTypesPath** Data representative of the DLL path for each resource type.
+- **sameSubnetDelay** The cluster parameter: same subnet delay.
+- **sameSubnetThreshold** The cluster parameter: same subnet threshold.
+- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
+- **securityLevel** The cluster parameter: security level.
+- **securityLevelForStorage** The cluster parameter: security level for storage.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
+- **upNodeCount** Specifies the number of nodes that are up (online).
+- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
+- **vmIsolationTime** The cluster parameter: VM isolation time.
+- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database.
+
+
## Fault Reporting events
### Microsoft.Windows.FaultReporting.AppCrashEvent
@@ -2367,35 +2441,35 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **BusReportedDescription** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
-- **Class** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
-- **ClassGuid** A unique identifier for the driver installed.
-- **COMPID** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
-- **ContainerId** INF file name (the name could be renamed by OS, such as oemXX.inf)
-- **Description** The version of the inventory binary generating the events.
-- **DeviceState** The current error code for the device.
-- **DriverId** A unique identifier for the driver installed.
-- **DriverName** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **BusReportedDescription** The description of the device reported by the bus.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device class unique identifier of the driver package loaded on the device.
+- **COMPID** The list of “Compatible IDs” for this device.
+- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to.
+- **Description** The description of the device.
+- **DeviceState** Identifies the current state of the parent (main) device.
+- **DriverId** The unique identifier for the installed driver.
+- **DriverName** The file name of the installed driver image.
- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **DriverVerDate** The date of the driver loaded for the device.
-- **DriverVerVersion** The version of the driver loaded for the device.
-- **Enumerator** The bus that enumerated the device.
-- **HWID** List of hardware ids for the device.
-- **Inf** INF file name (the name could be renamed by OS, such as oemXX.inf)
-- **InstallState** Device installation state.
-- **InventoryVersion** The version of the inventory binary generating the events.
-- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
-- **LowerFilters** Lower filter drivers IDs installed for the device.
-- **Manufacturer** The device manufacturer.
-- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
-- **Model** The device model.
-- **ParentId** Device instance id of the parent of the device.
-- **ProblemCode** The current error code for the device.
-- **Provider** The device provider.
-- **Service** The device service name
-- **STACKID** The device service name.
-- **UpperClassFilters** The list of hardware ids for the stack
-- **UpperFilters** Upper filter drivers IDs installed for the device
+- **DriverVerDate** The date associated with the driver installed on the device.
+- **DriverVerVersion** The version number of the driver installed on the device.
+- **Enumerator** Identifies the bus that enumerated the device.
+- **HWID** A list of hardware IDs for the device.
+- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** The version number of the inventory process generating the events.
+- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
+- **LowerFilters** The identifiers of the Lower filters installed for the device.
+- **Manufacturer** The manufacturer of the device.
+- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance.
+- **Model** Identifies the model of the device.
+- **ParentId** The Device Instance ID of the parent of the device.
+- **ProblemCode** The error code currently returned by the device, if applicable.
+- **Provider** Identifies the device provider.
+- **Service** The name of the device service.
+- **STACKID** The list of hardware IDs for the stack.
+- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device.
+- **UpperFilters** The identifiers of the Upper filters installed for the device.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
@@ -2543,28 +2617,29 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **AddinCLSID** The CLSID for the Office addin
-- **AddInCLSID** CLSID key for the office addin
-- **AddInId** Office addin ID
-- **AddinType** The type of the Office addin.
-- **BinFileTimestamp** Timestamp of the Office addin
-- **BinFileVersion** Version of the Office addin
-- **Description** Office addin description
-- **FileId** FileId of the Office addin
-- **FileSize** File size of the Office addin
-- **FriendlyName** Friendly name for office addin
-- **FullPath** Unexpanded path to the office addin
-- **LoadBehavior** Uint32 that describes the load behavior
-- **LoadTime** Load time for the office add in
-- **OfficeApplication** The office application for this add in
-- **OfficeArchitecture** Architecture of the addin
-- **OfficeVersion** The office version for this add in
-- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add in
-- **ProductCompany** The name of the company associated with the Office addin
-- **ProductName** The product name associated with the Office addin
-- **ProductVersion** The version associated with the Office addin
-- **ProgramId** The unique program identifier of the Office addin
-- **Provider** Name of the provider for this addin
+- **AddinCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInId** The identifier for the Microsoft Office add-in.
+- **AddinType** The type of the Microsoft Office add-in.
+- **BinFileTimestamp** The timestamp of the Office add-in.
+- **BinFileVersion** The version of the Microsoft Office add-in.
+- **Description** Description of the Microsoft Office add-in.
+- **FileId** The file identifier of the Microsoft Office add-in.
+- **FileSize** The file size of the Microsoft Office add-in.
+- **FriendlyName** The friendly name for the Microsoft Office add-in.
+- **FullPath** The full path to the Microsoft Office add-in.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **LoadBehavior** Integer that describes the load behavior.
+- **LoadTime** Load time for the Office add-in.
+- **OfficeApplication** The Microsoft Office application associated with the add-in.
+- **OfficeArchitecture** The architecture of the add-in.
+- **OfficeVersion** The Microsoft Office version for this add-in.
+- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in.
+- **ProductCompany** The name of the company associated with the Office add-in.
+- **ProductName** The product name associated with the Microsoft Office add-in.
+- **ProductVersion** The version associated with the Office add-in.
+- **ProgramId** The unique program identifier of the Microsoft Office add-in.
+- **Provider** Name of the provider for this add-in.
- **Usage** Data regarding usage of the add-in.
@@ -2582,6 +2657,9 @@ This event indicates that a new sync is being generated for this object type.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
@@ -2592,6 +2670,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
- **OMID** Identifier for the Office SQM Machine
@@ -2607,6 +2686,9 @@ Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
@@ -2617,6 +2699,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
@@ -2640,6 +2723,9 @@ Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
@@ -2650,6 +2736,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OfficeApplication** The name of the Office application.
- **OfficeArchitecture** The bitness of the Office application.
- **OfficeVersion** The version of the Office application.
@@ -2670,6 +2757,9 @@ Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
@@ -2680,6 +2770,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OC2rApps** A GUID the describes the Office Click-To-Run apps
- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
@@ -2692,6 +2783,9 @@ Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
@@ -2704,6 +2798,7 @@ The following fields are available:
- **BrowserFlags** Browser flags for Office-related products
- **ExchangeProviderFlags** Office Exchange provider policies
+- **InventoryVersion** The version of the inventory binary generating the events.
- **SharedComputerLicensing** Office Shared Computer Licensing policies
@@ -2713,6 +2808,9 @@ Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
@@ -2779,6 +2877,9 @@ This event indicates that a new sync is being generated for this object type.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
@@ -2787,6 +2888,9 @@ Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
@@ -2841,6 +2945,14 @@ The following fields are available:
- **IndicatorValue** The indicator value.
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
@@ -3263,6 +3375,12 @@ This event indicates an error in the updater payload. This information assists i
+### Microsoft.Windows.Sediment.Info.PhaseChange
+
+The event indicates progress made by the updater. This information assists in keeping Windows up to date.
+
+
+
### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date.
@@ -3277,6 +3395,31 @@ The following fields are available:
- **Time** The system time at which the event occurred.
+### Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
+
+This event provides information about the URL from which the Operating System Remediation System Service (OSRSS) is attempting to download. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **AttemptNumber** The count indicating which download attempt is starting.
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which data was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which data was downloaded.
+
+
### Microsoft.Windows.Sediment.OSRSS.Error
This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
@@ -3292,6 +3435,65 @@ The following fields are available:
- **Time** The system time at which the event occurred.
+### Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which the validated EXE was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
+
+This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted downloaded content. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which the successfully extracted content was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.NewUrlFound
+
+This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL to download from. This helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The new URL from which content will be downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ProcessCreated
+
+This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute content downloaded from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The new URL from which content will be executed.
+
+
+### Microsoft.Windows.Sediment.OSRSS.SelfUpdate
+
+This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The major version number for the component.
+- **ServiceVersionMinor** The minor version number for the component.
+- **Time** The system timestamp for when the event occurred.
+
+
### Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
@@ -3306,6 +3508,107 @@ The following fields are available:
- **Time** System timestamp the event was fired
+### Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
+
+This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed.
+
+The following fields are available:
+
+- **CheckName** The name of the applicability check that failed.
+- **InstallerVersion** The version information for the installer component.
+- **Time** The system timestamp for when the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
+
+This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update to itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
+
+This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with new binaries as part of its self-update process. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.InstallerLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) has launched. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceInstalled
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully installed the Installer Component. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
+
+This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceStarted
+
+This event indicates the Operating System Remediation System Service (OSRSS) has started after installing an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
+
+This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to install an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-update operation. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-updater after downloading it. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
### Microsoft.Windows.SedimentLauncher.Applicable
Indicates whether a given plugin is applicable.
@@ -3642,7 +3945,7 @@ The following fields are available:
- **EventInstanceID** A unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
-- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.)
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it.
- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
- **UpdateID** A unique identifier for the action being acted upon.
@@ -3708,7 +4011,7 @@ The following fields are available:
- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
- **FailedParseActions** The list of actions that were not successfully parsed.
- **ParsedActions** The list of actions that were successfully parsed.
-- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.)
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
- **WUDeviceID** The unique identifier controlled by the software distribution client.
@@ -3797,50 +4100,81 @@ The following fields are available:
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-### SoftwareUpdateClientTelemetry.Download
+### SoftwareUpdateClientTelemetry.Commit
-Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+This event tracks the commit process post the update installation when software update client is trying to update the device.
The following fields are available:
-- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
-- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
-- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
- **BiosReleaseDate** The release date of the device BIOS.
- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client.
+- **DeviceModel** What is the device model.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** State of call
+- **EventType** Possible values are "Child", "Bundle", or "Driver".
+- **FlightId** The specific id of the flight the device is getting
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **RevisionNumber** Unique revision number of Update
+- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **UpdateId** Unique Update ID
+- **WUDeviceID** UniqueDeviceID
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+
+The following fields are available:
+
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope** Indicates the scope of the download for application content.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The SKU number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
+- **BundleId** Identifier associated with the specific content bundle.
- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable.
+- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client.
+- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download.
- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
- **ClientVersion** The version number of the software distribution client.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **DeviceModel** What is the device model.
+- **DeviceModel** The model of the device.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
-- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
-- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
+- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
-- **EventType** Possible values are Child, Bundle, or Driver.
+- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
+- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
-- **FlightId** The specific ID of the flight (pre-release build) the device is getting.
+- **FlightId** The specific id of the flight (pre-release build) the device is getting.
- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **HostName** The hostname URL the content is downloading from.
+- **HostName** The parent URL the content is downloading from.
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
@@ -3851,25 +4185,25 @@ The following fields are available:
- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
-- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **RevisionNumber** The revision number of the specified piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
+- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package.
- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
-- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded.
- **UpdateId** An identifier associated with the specific piece of content.
- **UpdateID** An identifier associated with the specific piece of content.
-- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **UsedDO** Whether the download used the delivery optimization service.
+- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional.
+- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -3941,14 +4275,14 @@ The following fields are available:
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **ClientVersion** The version number of the software distribution client.
- **CSIErrorType** The stage of CBS installation where it failed.
-- **CurrentMobileOperator** Mobile operator that device is currently connected to.
-- **DeviceModel** What is the device model.
+- **CurrentMobileOperator** The mobile operator to which the device is currently connected.
+- **DeviceModel** The device model.
- **DriverPingBack** Contains information about the previous driver and system state.
- **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
@@ -3964,21 +4298,21 @@ The following fields are available:
- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
-- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
-- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
-- **IsFirmware** Is this update a firmware update?
-- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
+- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether this update is a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart.
- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
-- **MergedUpdate** Was the OS update and a BSP update merged for installation?
+- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation.
- **MsiAction** The stage of MSI installation where it failed.
- **MsiProductCode** The unique identifier of the MSI installer.
- **PackageFullName** The package name of the content being installed.
- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **QualityUpdatePause** Are quality OS updates paused on the device?
+- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
+- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install.
- **RevisionNumber** The revision number of this specific piece of content.
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
@@ -3988,8 +4322,8 @@ The following fields are available:
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TransactionCode** The ID which represents a given MSI installation
-- **UpdateId** Unique update ID
+- **TransactionCode** The ID that represents a given MSI installation.
+- **UpdateId** Unique update ID.
- **UpdateID** An identifier associated with the specific piece of content.
- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
@@ -4020,7 +4354,7 @@ The following fields are available:
- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
- **ExtendedStatusCode** The secondary status code of the event.
-- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
@@ -4031,7 +4365,7 @@ The following fields are available:
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
+- **SHA256OfTimestampToken** An encoded string of the timestamp token.
- **SignatureAlgorithm** The hash algorithm for the metadata signature.
- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
- **StatusCode** The status code of the event.
@@ -4282,6 +4616,7 @@ The following fields are available:
- **FlightId** Unique ID for each flight.
- **InternalFailureResult** Indicates a non-fatal error from a plugin.
- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable.
- **PackageCountOptional** # of optional packages requested.
- **PackageCountRequired** # of required packages requested.
- **PackageCountTotal** Total # of packages needed.
@@ -4519,36 +4854,36 @@ The following fields are available:
- **CV** Correlation vector.
- **DetectorVersion** Most recently run detector version for the current campaign.
- **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user.
-- **key1** UI interaction data
-- **key10** UI interaction data
-- **key11** UI interaction data
-- **key12** UI interaction data
-- **key13** UI interaction data
-- **key14** UI interaction data
-- **key15** UI interaction data
-- **key16** UI interaction data
-- **key17** UI interaction data
-- **key18** UI interaction data
-- **key19** UI interaction data
-- **key2** UI interaction data
-- **key20** UI interaction data
-- **key21** UI interaction data
-- **key22** UI interaction data
-- **key23** UI interaction data
-- **key24** UI interaction data
-- **key25** UI interaction data
-- **key26** UI interaction data
-- **key27** UI interaction data
-- **key28** UI interaction data
-- **key29** UI interaction data
-- **key3** UI interaction data
-- **key30** UI interaction data
-- **key4** UI interaction data
-- **key5** UI interaction data
-- **key6** UI interaction data
-- **key7** UI interaction data
-- **key8** UI interaction data
-- **key9** UI interaction data
+- **key1** UI interaction data.
+- **key10** UI interaction data.
+- **key11** UI interaction data.
+- **key12** UI interaction data.
+- **key13** UI interaction data.
+- **key14** UI interaction data.
+- **key15** UI interaction data.
+- **key16** UI interaction data.
+- **key17** UI interaction data.
+- **key18** UI interaction data.
+- **key19** UI interaction data.
+- **key2** UI interaction data.
+- **key20** UI interaction data.
+- **key21** UI interaction data.
+- **key22** UI interaction data.
+- **key23** UI interaction data.
+- **key24** The interaction data for the user interface.
+- **key25** The interaction data for the user interface.
+- **key26** The interaction data for the user interface.
+- **key27** The interaction data for the user interface.
+- **key28** The interaction data for the user interface.
+- **key29** UI interaction data.
+- **key3** UI interaction data.
+- **key30** UI interaction data.
+- **key4** UI interaction data.
+- **key5** UI interaction data.
+- **key6** UI interaction data.
+- **key7** UI interaction data.
+- **key8** UI interaction data.
+- **key9** UI interaction data.
- **PackageVersion** Current package version of the update notification.
- **schema** UI interaction type.
@@ -4643,6 +4978,12 @@ This event indicates whether devices received additional or critical supplementa
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+
+
+
### Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
@@ -4734,6 +5075,7 @@ This event sends data indicating that the device has invoked the predownload qui
The following fields are available:
- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
@@ -4848,6 +5190,17 @@ This event sends a summary of all the setup mitigations available for this updat
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+The following fields are available:
+
+- **ClientId** The Windows Update client ID passed to Setup.
+- **Count** The count of applicable OneSettings for the device.
+- **FlightData** The ID for the flight (test instance version).
+- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
+- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings.
+- **ReportId** The Update ID passed to Setup.
+- **Result** The HResult of the event error.
+- **ScenarioId** The update scenario ID.
+- **Values** Values sent back to the device, if applicable.
### Setup360Telemetry.UnexpectedEvent
@@ -4908,17 +5261,17 @@ This event provides the results from the WaaSMedic engine
The following fields are available:
- **detectionSummary** Result of each applicable detection that was run.
-- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
+- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates
- **hrEngineResult** Indicates the WaaSMedic engine operation error codes
-- **insufficientSessions** Device not eligible for diagnostics.
-- **isManaged** Device is managed for updates.
-- **isWUConnected** Device is connected to Windows Update.
-- **noMoreActions** No more applicable diagnostics.
-- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
+- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
+- **isManaged** Indicates the device is managed for updates
+- **isWUConnected** Indicates the device is connected to Windows Update
+- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
+- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates
- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
-- **usingBackupFeatureAssessment** Relying on backup feature assessment.
-- **usingBackupQualityAssessment** Relying on backup quality assessment.
-- **versionString** Version of the WaaSMedic engine.
+- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client
+- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client
+- **versionString** Installed version of the WaaSMedic engine
## Windows Error Reporting events
@@ -4941,7 +5294,7 @@ The following fields are available:
- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
-## Microsoft Store events
+## Windows Store events
### Microsoft.Windows.Store.Partner.ReportApplication
@@ -5446,7 +5799,7 @@ The following fields are available:
- **bytesRequested** Number of bytes requested for the download.
- **callerName** Name of the API caller.
- **cdnUrl** The URL of the source CDN.
-- **clientTelId** A random number used for device sampling.
+- **clientTelId** Random number used for device selection
- **costFlags** A set of flags representing network cost.
- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
- **diceRoll** Random number used for determining if a client will use peering.
@@ -5579,14 +5932,14 @@ This event collects information regarding the install phase of the new device ma
The following fields are available:
-- **errorCode** The error code returned for the current install phase
-- **flightId** The unique identifier for each flight
-- **objectId** Unique value for each Update Agent mode
-- **relatedCV** Correlation vector value generated from the latest scan
-- **result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **errorCode** The error code returned for the current install phase.
+- **flightId** The unique identifier for each flight (pre-release builds).
+- **objectId** Unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest scan.
+- **result** Outcome of the install phase of the update.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **sessionId** Unique value for each update session.
+- **updateId** Unique ID for each Update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
@@ -5595,13 +5948,13 @@ This event sends data for the start of each mode during the process of updating
The following fields are available:
-- **flightId** The unique identifier for each flight
-- **mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **objectId** Unique value for each Update Agent mode
-- **relatedCV** Correlation vector value generated from the latest scan
+- **flightId** The unique identifier for each flight (pre-release builds).
+- **mode** Indicates the active Update Agent mode.
+- **objectId** Unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest scan.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **sessionId** The unique identifier for each update session.
+- **updateId** The unique identifier for each Update.
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
@@ -5610,6 +5963,18 @@ This event indicates that a notification dialog box is about to be displayed to
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
+
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
+
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
+
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
+
+
+
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
@@ -5622,6 +5987,18 @@ This event indicates that the Enhanced Engaged restart "restart imminent" dialog
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
+
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
+
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
+
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
+
+
+
### Microsoft.Windows.Update.NotificationUx.RebootScheduled
Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
@@ -5646,6 +6023,12 @@ This event indicates a policy is present that may restrict update activity to ou
+### Microsoft.Windows.Update.Orchestrator.AttemptImmediateReboot
+
+This event sends data when the Windows Update Orchestrator is set to reboot immediately after installing the update.
+
+
+
### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
This event indicates that update activity was blocked because it is within the active hours window.
@@ -5680,17 +6063,17 @@ This event indicates that a scan for a Windows Update occurred.
The following fields are available:
-- **deferReason** Reason why the device could not check for updates.
-- **detectionBlockreason** Reason for detection not completing.
+- **deferReason** The reason why the device could not check for updates.
+- **detectionBlockreason** The reason detection did not complete.
- **detectionRetryMode** Indicates whether we will try to scan again.
-- **errorCode** The returned error code.
+- **errorCode** The error code returned for the current process.
- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **flightID** The specific ID of the Windows Insider build the device is getting.
-- **interactive** Indicates whether the session was user initiated.
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **updateScenarioType** Device ID
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
+- **interactive** Indicates whether the user initiated the session.
+- **revisionNumber** The Update revision number.
+- **updateId** The unique identifier of the Update.
+- **updateScenarioType** Identifies the type of update session being performed.
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
@@ -5780,7 +6163,7 @@ The following fields are available:
- **deferReason** Reason for install not completing.
- **errorCode** The error code reppresented by a hexadecimal value.
- **eventScenario** End-to-end update session ID.
-- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **flightID** The ID of the Windows Insider build the device is getting.
- **flightUpdate** Indicates whether the update is a Windows Insider build.
- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
@@ -5826,15 +6209,21 @@ This event is sent after a Windows update install completes.
The following fields are available:
-- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **bundleId** Identifier associated with the specific content bundle.
+- **batteryLevel** Current battery capacity in megawatt-hours (mWh) or percentage left.
+- **bundleId** The unique identifier associated with the specific content bundle.
- **bundleRevisionnumber** Identifies the revision number of the content bundle.
- **errorCode** The error code returned for the current phase.
- **eventScenario** State of update action.
-- **flightID** Update session type
+- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **sessionType** The Windows Update session type (Interactive or Background).
-- **updateScenarioType** The update session type.
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **updateScenarioType** Identifies the type of Update session being performed.
+- **wuDeviceid** The unique device identifier used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
+
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
+
### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
@@ -6055,7 +6444,7 @@ The following fields are available:
- **scheduledRebootTime** Time scheduled for the reboot.
- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC.
- **updateId** Identifies which update is being scheduled.
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
@@ -6101,24 +6490,32 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS
The following fields are available:
-- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **ClientId** The client ID used by Windows Update.
+- **FlightId** The ID of each Windows Insider build the device received.
+- **InstanceId** A unique device ID that identifies each update instance.
- **MitigationScenario** The update scenario in which the mitigation was executed.
-- **MountedImageCount** Number of mounted images.
-- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT.
-- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
-- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
-- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **MountedImageCount** The number of mounted images.
+- **MountedImageMatches** The number of mounted image matches.
+- **MountedImagesFailed** The number of mounted images that could not be removed.
+- **MountedImagesRemoved** The number of mounted images that were successfully removed.
+- **MountedImagesSkipped** The number of mounted images that were not found.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
- **Result** HResult of this operation.
- **ScenarioId** ID indicating the mitigation scenario.
- **ScenarioSupported** Indicates whether the scenario was supported.
- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each Update.
+- **UpdateId** Unique ID for each Windows Update.
- **WuId** Unique ID for the Windows Update client.
+## Windows Update Reserve Manager events
+
+### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
+
+
+
## Winlogon events
### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index c8a8b09e66..6361832bf4 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.author: brianlic
-ms.date: 12/13/2018
+ms.date: 02/15/2019
---
@@ -47,55 +47,55 @@ This event lists the types of objects and how many of each exist on the client d
The following fields are available:
- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
-- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
-- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device.
- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
-- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
-- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device.
- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device.
- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
-- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device.
- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
-- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device.
- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device.
- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
-- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine.
+- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
- **InventorySystemBios** The count of the number of this particular object type present on this device.
- **InventoryTest** The count of the number of this particular object type present on this device.
@@ -104,15 +104,15 @@ The following fields are available:
- **SystemMemory** The count of the number of this particular object type present on this device.
- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
-- **SystemProcessorNx** The count of SystemProcessorNx objects present on this machine.
-- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device.
-- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine.
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
+- **SystemProcessorSse2** The total number of objects of this type present on this device.
- **SystemTouch** The count of SystemTouch objects present on this machine.
-- **SystemWim** The count of SystemWim objects present on this machine.
+- **SystemWim** The total number of objects of this type present on this device.
- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine.
-- **SystemWlan** The count of SystemWlan objects present on this machine.
+- **SystemWlan** The total number of objects of this type present on this device.
- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers.
- **Wmdrm_RS5** The count of the number of this particular object type present on this device.
@@ -540,7 +540,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1223,6 +1223,12 @@ The following fields are available:
- **WindowsNotActivatedDecision** Is the current operating system activated?
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusEndSync
+
+This event indicates that a full set of SystemWindowsActivationStatusAdd events has succeeded in being sent.
+
+
+
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
@@ -1377,7 +1383,7 @@ The following fields are available:
- **AppraiserTaskExitCode** The Appraiser task exist code.
- **AppraiserTaskLastRun** The last runtime for the Appraiser task.
- **CensusVersion** The version of Census that generated the current data for this device.
-- **IEVersion** IE version running on the device.
+- **IEVersion** The version of Internet Explorer that is running on the device.
### Census.Battery
@@ -1578,7 +1584,7 @@ Provides information on several important data points about Processor settings
The following fields are available:
-- **KvaShadow** Microcode info of the processor.
+- **KvaShadow** This is the micro code information of the processor.
- **MMSettingOverride** Microcode setting of the processor.
- **MMSettingOverrideMask** Microcode setting override of the processor.
- **PreviousUpdateRevision** Previous microcode revision.
@@ -1589,10 +1595,10 @@ The following fields are available:
- **ProcessorManufacturer** Name of the processor manufacturer.
- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
-- **ProcessorUpdateRevision** Microcode revision
+- **ProcessorUpdateRevision** The microcode revision.
- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status.
- **SocketCount** Count of CPU sockets.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Security
@@ -2844,6 +2850,81 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
+## Failover Clustering events
+
+### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
+
+This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations.
+
+The following fields are available:
+
+- **autoAssignSite** The cluster parameter: auto site.
+- **autoBalancerLevel** The cluster parameter: auto balancer level.
+- **autoBalancerMode** The cluster parameter: auto balancer mode.
+- **blockCacheSize** The configured size of the block cache.
+- **ClusterAdConfiguration** The ad configuration of the cluster.
+- **clusterAdType** The cluster parameter: mgmt_point_type.
+- **clusterDumpPolicy** The cluster configured dump policy.
+- **clusterFunctionalLevel** The current cluster functional level.
+- **clusterGuid** The unique identifier for the cluster.
+- **clusterWitnessType** The witness type the cluster is configured for.
+- **countNodesInSite** The number of nodes in the cluster.
+- **crossSiteDelay** The cluster parameter: CrossSiteDelay.
+- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold.
+- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay.
+- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold.
+- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters.
+- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters.
+- **csvResourceCount** The number of resources in the cluster.
+- **currentNodeSite** The name configured for the current site for the cluster.
+- **dasModeBusType** The direct storage bus type of the storage spaces.
+- **downLevelNodeCount** The number of nodes in the cluster that are running down-level.
+- **drainOnShutdown** Specifies whether a node should be drained when it is shut down.
+- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled.
+- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity.
+- **genAppNames** The win32 service name of a clustered service.
+- **genSvcNames** The command line of a clustered genapp.
+- **hangRecoveryAction** The cluster parameter: hang recovery action.
+- **hangTimeOut** Specifies the “hang time out” parameter for the cluster.
+- **isCalabria** Specifies whether storage spaces direct is enabled.
+- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes.
+- **isRunningDownLevel** Identifies if the current node is running down-level.
+- **logLevel** Specifies the granularity that is logged in the cluster log.
+- **logSize** Specifies the size of the cluster log.
+- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID.
+- **minNeverPreempt** The cluster parameter: minimum never preempt.
+- **minPreemptor** The cluster parameter: minimum preemptor priority.
+- **netftIpsecEnabled** The parameter: netftIpsecEnabled.
+- **NodeCount** The number of nodes in the cluster.
+- **nodeId** The current node number in the cluster.
+- **nodeResourceCounts** Specifies the number of node resources.
+- **nodeResourceOnlineCounts** Specifies the number of node resources that are online.
+- **numberOfSites** The number of different sites.
+- **numNodesInNoSite** The number of nodes not belonging to a site.
+- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes.
+- **preferredSite** The preferred site location.
+- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster.
+- **quarantineDuration** The quarantine duration.
+- **quarantineThreshold** The quarantine threshold.
+- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period.
+- **resiliencyLevel** Specifies the level of resiliency.
+- **resourceCounts** Specifies the number of resources.
+- **resourceTypeCounts** Specifies the number of resource types in the cluster.
+- **resourceTypes** Data representative of each resource type.
+- **resourceTypesPath** Data representative of the DLL path for each resource type.
+- **sameSubnetDelay** The cluster parameter: same subnet delay.
+- **sameSubnetThreshold** The cluster parameter: same subnet threshold.
+- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
+- **securityLevel** The cluster parameter: security level.
+- **securityLevelForStorage** The cluster parameter: security level for storage.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
+- **upNodeCount** Specifies the number of nodes that are up (online).
+- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
+- **vmIsolationTime** The cluster parameter: VM isolation time.
+- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database.
+
+
## Fault Reporting events
### Microsoft.Windows.FaultReporting.AppCrashEvent
@@ -3015,6 +3096,17 @@ The following fields are available:
- **ProgramIds** The unique program identifier the driver is associated with.
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component.
+
+
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
This event provides the basic metadata about the frameworks an application may depend on.
@@ -3191,35 +3283,35 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **BusReportedDescription** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
-- **Class** A unique identifier for the driver installed.
-- **ClassGuid** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
-- **COMPID** INF file name (the name could be renamed by OS, such as oemXX.inf)
-- **ContainerId** The version of the inventory binary generating the events.
-- **Description** The current error code for the device.
-- **DeviceState** The device description.
-- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
-- **DriverName** A unique identifier for the driver installed.
-- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage
-- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **BusReportedDescription** The description of the device reported by the bus.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device class unique identifier of the driver package loaded on the device.
+- **COMPID** The list of “Compatible IDs” for this device.
+- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to.
+- **Description** The description of the device.
+- **DeviceState** Identifies the current state of the parent (main) device.
+- **DriverId** The unique identifier for the installed driver.
+- **DriverName** The name of the driver image file.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **DriverVerDate** The date associated with the driver loaded on the device.
- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **Enumerator** The date of the driver loaded for the device.
-- **HWID** The version of the driver loaded for the device.
-- **Inf** The bus that enumerated the device.
-- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
-- **InventoryVersion** List of hardware ids for the device.
-- **LowerClassFilters** Lower filter class drivers IDs installed for the device
-- **LowerFilters** Lower filter drivers IDs installed for the device
-- **Manufacturer** INF file name (the name could be renamed by OS, such as oemXX.inf)
-- **MatchingID** Device installation state.
-- **Model** The version of the inventory binary generating the events.
-- **ParentId** Lower filter class drivers IDs installed for the device.
-- **ProblemCode** Lower filter drivers IDs installed for the device.
-- **Provider** The device manufacturer.
-- **Service** The device service name
-- **STACKID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
-- **UpperClassFilters** Upper filter drivers IDs installed for the device
-- **UpperFilters** The device model.
+- **Enumerator** Identifies the bus that enumerated the device.
+- **HWID** A list of hardware IDs for the device.
+- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** The version number of the inventory process generating the events.
+- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
+- **LowerFilters** The identifiers of the Lower filters installed for the device.
+- **Manufacturer** The manufacturer of the device.
+- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance.
+- **Model** Identifies the model of the device.
+- **ParentId** The Device Instance ID of the parent of the device.
+- **ProblemCode** The error code currently returned by the device, if applicable.
+- **Provider** Identifies the device provider.
+- **Service** The name of the device service.
+- **STACKID** The list of hardware IDs for the stack.
+- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device.
+- **UpperFilters** The identifiers of the Upper filters installed for the device.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
@@ -3367,29 +3459,29 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **AddinCLSID** The CLSID for the Office addin
-- **AddInCLSID** CLSID key for the office addin
-- **AddInId** Office addin ID
-- **AddinType** The type of the Office addin.
-- **BinFileTimestamp** Timestamp of the Office addin
-- **BinFileVersion** Version of the Office addin
-- **Description** Office addin description
-- **FileId** FileId of the Office addin
-- **FileSize** File size of the Office addin
-- **FriendlyName** Friendly name for office addin
-- **FullPath** Unexpanded path to the office addin
+- **AddinCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInId** The identifier for the Microsoft Office add-in.
+- **AddinType** The type of the Microsoft Office add-in.
+- **BinFileTimestamp** The timestamp of the Office add-in.
+- **BinFileVersion** The version of the Microsoft Office add-in.
+- **Description** Description of the Microsoft Office add-in.
+- **FileId** The file identifier of the Microsoft Office add-in.
+- **FileSize** The file size of the Microsoft Office add-in.
+- **FriendlyName** The friendly name for the Microsoft Office add-in.
+- **FullPath** The full path to the Microsoft Office add-in.
- **InventoryVersion** The version of the inventory binary generating the events.
-- **LoadBehavior** Uint32 that describes the load behavior
+- **LoadBehavior** Integer that describes the load behavior.
- **LoadTime** Load time for the office addin
-- **OfficeApplication** The office application for this addin
-- **OfficeArchitecture** Architecture of the addin
-- **OfficeVersion** The office version for this addin
-- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this addin
-- **ProductCompany** The name of the company associated with the Office addin
-- **ProductName** The product name associated with the Office addin
-- **ProductVersion** The version associated with the Office addin
-- **ProgramId** The unique program identifier of the Office addin
-- **Provider** Name of the provider for this addin
+- **OfficeApplication** The Microsoft Office application associated with the add-in.
+- **OfficeArchitecture** The architecture of the add-in.
+- **OfficeVersion** The Microsoft Office version for this add-in.
+- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in.
+- **ProductCompany** The name of the company associated with the Office add-in.
+- **ProductName** The product name associated with the Microsoft Office add-in.
+- **ProductVersion** The version associated with the Office add-in.
+- **ProgramId** The unique program identifier of the Microsoft Office add-in.
+- **Provider** Name of the provider for this add-in.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
@@ -3785,6 +3877,81 @@ The following fields are available:
- **UptimeDeltaMS** Total time (in milliseconds) added to Uptime since the last event
+## Miracast events
+
+### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
+
+This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session
+
+The following fields are available:
+
+- **AudioChannelCount** The number of audio channels.
+- **AudioSampleRate** The sample rate of audio in terms of samples per second.
+- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding.
+- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second.
+- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second.
+- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds.
+- **ConnectorType** The type of connector used during the Miracast session.
+- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds.
+- **EncodeCount** The count of total frames encoded in the session.
+- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds.
+- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds.
+- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds.
+- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable.
+- **FirstFrameTime** The time (tick count) when the first frame is sent.
+- **FirstLatencyMode** The first latency mode.
+- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds.
+- **FrameCount** The total number of frames processed.
+- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds.
+- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds.
+- **Glitches** The number of frames that failed to be delivered on time.
+- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended.
+- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended.
+- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second.
+- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second.
+- **LastLatencyMode** The last reported latency mode.
+- **LastLatencyTime** The last reported latency time.
+- **LogTimeReference** The reference time, in tick counts.
+- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second.
+- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second.
+- **MediaErrorCode** The error code reported by the media session, if applicable.
+- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded.
+- **MiracastM1** The time (tick count) when the M1 request was sent.
+- **MiracastM2** The time (tick count) when the M2 request was sent.
+- **MiracastM3** The time (tick count) when the M3 request was sent.
+- **MiracastM4** The time (tick count) when the M4 request was sent.
+- **MiracastM5** The time (tick count) when the M5 request was sent.
+- **MiracastM6** The time (tick count) when the M6 request was sent.
+- **MiracastM7** The time (tick count) when the M7 request was sent.
+- **MiracastSessionState** The state of the Miracast session when the connection ended.
+- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames.
+- **ProfileCount** The count of profiles generated from the receiver M4 response.
+- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities.
+- **RefreshRate** The refresh rate set on the remote display.
+- **RotationSupported** Indicates if the Miracast receiver supports display rotation.
+- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session.
+- **SessionGuid** The unique identifier of to correlate various Miracast events from a session.
+- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID.
+- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver.
+- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension.
+- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension.
+- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension.
+- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension.
+- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution.
+- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions.
+- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable.
+- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable.
+- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended.
+- **UIBCEverEnabled** Indicates whether UIBC was ever enabled.
+- **UIBCStatus** The result code reported by the UIBC setup process.
+- **VideoBitrate** The starting bitrate for the video encoder.
+- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype.
+- **VideoHeight** The height of encoded video frames.
+- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding.
+- **VideoWidth** The width of encoded video frames.
+- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol.
+
+
## OneDrive events
### Microsoft.OneDrive.Sync.Setup.APIOperation
@@ -3920,10 +4087,10 @@ Event tells us effectiveness of new privacy experience.
The following fields are available:
-- **isAdmin** Whether the current user is an administrator or not
+- **isAdmin** whether the person who is logging in is an admin
- **isLaunching** Whether or not the privacy consent experience will be launched
-- **isSilentElevation** Whether the current user has enabled silent elevation
-- **privacyConsentState** The current state of the privacy consent experience
+- **isSilentElevation** whether the user has most restrictive UAC controls
+- **privacyConsentState** whether the user has completed privacy experience
- **userRegionCode** The current user's region setting
@@ -4227,6 +4394,17 @@ This event indicates an error in the updater payload. This information assists i
+### Microsoft.Windows.Sediment.Info.PhaseChange
+
+The event indicates progress made by the updater. This information assists in keeping Windows up to date.
+
+The following fields are available:
+
+- **NewPhase** The phase of progress made.
+- **ReleaseVer** The version information for the component in which the change occurred.
+- **Time** The system time at which the phase chance occurred.
+
+
### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date.
@@ -4241,6 +4419,31 @@ The following fields are available:
- **Time** The system time at which the event occurred.
+### Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
+
+This event provides information about the URL from which the Operating System Remediation System Service (OSRSS) is attempting to download. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **AttemptNumber** The count indicating which download attempt is starting.
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which data was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which data was downloaded.
+
+
### Microsoft.Windows.Sediment.OSRSS.Error
This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
@@ -4256,6 +4459,65 @@ The following fields are available:
- **Time** The system time at which the event occurred.
+### Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which the validated EXE was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
+
+This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted downloaded content. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which the successfully extracted content was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.NewUrlFound
+
+This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL to download from. This helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The new URL from which content will be downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ProcessCreated
+
+This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute content downloaded from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The new URL from which content will be executed.
+
+
+### Microsoft.Windows.Sediment.OSRSS.SelfUpdate
+
+This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The major version number for the component.
+- **ServiceVersionMinor** The minor version number for the component.
+- **Time** The system timestamp for when the event occurred.
+
+
### Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
@@ -4270,6 +4532,66 @@ The following fields are available:
- **Time** System timestamp when the event was started.
+### Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
+
+This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update to itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
+
+This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with new binaries as part of its self-update process. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
+
+This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
+
+This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to install an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-update operation. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-updater after downloading it. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
### Microsoft.Windows.SedimentLauncher.Applicable
Indicates whether a given plugin is applicable.
@@ -4293,6 +4615,7 @@ Indicates whether a given plugin has completed its work.
The following fields are available:
- **CV** Correlation vector.
+- **FailedReasons** Concatenated list of failure reasons.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **PackageVersion** Current package version of Remediation.
- **PluginName** Name of the plugin specified for each generic plugin event.
@@ -4480,30 +4803,6 @@ The following fields are available:
## SIH events
-### SIHEngineTelemetry.EvalApplicability
-
-This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action.
-
-The following fields are available:
-
-- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
-- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
-- **CachedEngineVersion** The engine DLL version that is being used.
-- **EventInstanceID** A unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
-- **IsExecutingAction** If the action is presently being executed.
-- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.)
-- **SihclientVersion** The client version that is being used.
-- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it.
-- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
-- **UpdateID** A unique identifier for the action being acted upon.
-- **WuapiVersion** The Windows Update API version that is currently installed.
-- **WuaucltVersion** The Windows Update client version that is currently installed.
-- **WuauengVersion** The Windows Update engine version that is currently installed.
-- **WUDeviceID** The unique identifier controlled by the software distribution client.
-
-
### SIHEngineTelemetry.SLSActionData
This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated.
@@ -4515,7 +4814,7 @@ The following fields are available:
- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
- **FailedParseActions** The list of actions that were not successfully parsed.
- **ParsedActions** The list of actions that were successfully parsed.
-- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.)
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
- **SihclientVersion** The client version that is being used.
- **WuapiVersion** The Windows Update API version that is currently installed.
- **WuaucltVersion** The Windows Update client version that is currently installed.
@@ -4631,7 +4930,7 @@ The following fields are available:
- **FlightId** The specific id of the flight the device is getting
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Identifies the revision number of this specific piece of content
-- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
- **SystemBIOSMajorRelease** Major release version of the system bios
- **SystemBIOSMinorRelease** Minor release version of the system bios
- **UpdateId** Identifier associated with the specific piece of content
@@ -4644,32 +4943,32 @@ Download process event for target update on Windows Update client. See EventScen
The following fields are available:
-- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
-- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **AppXDownloadScope** Indicates the scope of the download for application content.
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
- **BiosReleaseDate** The release date of the device BIOS.
-- **BiosSKUNumber** The sku number of the device BIOS.
+- **BiosSKUNumber** The SKU number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId** Identifier associated with the specific content bundle.
- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client.
+- **CbsDownloadMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
- **ClientVersion** The version number of the software distribution client.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **DeviceModel** What is the device model.
+- **DeviceModel** The model of the device.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
-- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
-- **EventType** Possible values are Child, Bundle, or Driver.
+- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
+- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
@@ -4679,35 +4978,35 @@ The following fields are available:
- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **HostName** The hostname URL the content is downloading from.
+- **HostName** The parent URL the content is downloading from.
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkCostBitMask** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
- **PackageFullName** The package name of the content.
- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **RegulationReason** The reason that the update is regulated
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector.
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
-- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **RevisionNumber** The revision number of the specified piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
+- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
-- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded.
- **UpdateId** An identifier associated with the specific piece of content.
-- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **UsedDO** Whether the download used the delivery optimization service.
+- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional.
+- **UsedDO** Whether the download used the Delivery Optimization (DO) service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -4855,24 +5154,24 @@ The following fields are available:
- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
- **ExtendedStatusCode** The secondary status code of the event.
-- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
-- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
-- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id)
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
-- **RevisionId** The revision ID for a specific piece of content.
-- **RevisionNumber** The revision number for a specific piece of content.
+- **RevisionId** Identifies the revision of this specific piece of content
+- **RevisionNumber** Identifies the revision number of this specific piece of content
- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
-- **SignatureAlgorithm** The hash algorithm for the metadata signature.
+- **SHA256OfLeafCertPublicKey** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate.
+- **SHA256OfTimestampToken** An encoded string of the timestamp token.
+- **SignatureAlgorithm** Hash algorithm for the metadata signature
- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
- **StatusCode** The status code of the event.
- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
-- **UpdateId** The update ID for a specific piece of content.
+- **UpdateId** Identifier associated with the specific piece of content
- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
@@ -5169,36 +5468,36 @@ The following fields are available:
- **CV** Correlation vector.
- **DetectorVersion** Most recently run detector version for the current campaign.
- **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user.
-- **key1** UI interaction data
-- **key10** UI interaction data
-- **key11** UI interaction data
-- **key12** UI interaction data
-- **key13** UI interaction data
-- **key14** UI interaction data
-- **key15** UI interaction data
-- **key16** UI interaction data
-- **key17** UI interaction data
-- **key18** UI interaction data
-- **key19** UI interaction data
-- **key2** UI interaction data
-- **key20** UI interaction data
-- **key21** UI interaction data
-- **key22** UI interaction data
-- **key23** UI interaction data
-- **key24** UI interaction data
-- **key25** UI interaction data
-- **key26** UI interaction data
-- **key27** UI interaction data
-- **key28** UI interaction data
-- **key29** UI interaction data
-- **key3** UI interaction data
-- **key30** UI interaction data
-- **key4** UI interaction data
-- **key5** UI interaction data
-- **key6** UI interaction data
-- **key7** UI interaction data
-- **key8** UI interaction data
-- **key9** UI interaction data
+- **key1** UI interaction data.
+- **key10** UI interaction data.
+- **key11** UI interaction data.
+- **key12** UI interaction data.
+- **key13** UI interaction data.
+- **key14** UI interaction data.
+- **key15** UI interaction data.
+- **key16** UI interaction data.
+- **key17** UI interaction data.
+- **key18** UI interaction data.
+- **key19** UI interaction data.
+- **key2** UI interaction data.
+- **key20** UI interaction data.
+- **key21** UI interaction data.
+- **key22** UI interaction data.
+- **key23** UI interaction data.
+- **key24** UI interaction data.
+- **key25** UI interaction data.
+- **key26** The interaction data for the user interface.
+- **key27** UI interaction data.
+- **key28** UI interaction data.
+- **key29** UI interaction data.
+- **key3** UI interaction data.
+- **key30** UI interaction data.
+- **key4** UI interaction data.
+- **key5** UI interaction data.
+- **key6** UI interaction data.
+- **key7** UI interaction data.
+- **key8** UI interaction data.
+- **key9** UI interaction data.
- **PackageVersion** Current package version of the update notification.
- **schema** UI interaction type.
@@ -5301,6 +5600,16 @@ The following fields are available:
- **Type** Type of package that was downloaded.
+### FacilitatorTelemetry.DUDownload
+
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
+
+The following fields are available:
+
+- **PackageCategoriesFailed** Lists the categories of packages that failed to download.
+- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped.
+
+
### FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
@@ -5374,7 +5683,7 @@ The following fields are available:
- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** ID that uniquely identifies a group of events.
@@ -5516,7 +5825,7 @@ The following fields are available:
- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
- **Operation** Facilitator’s last known operation (scan, download, etc.).
- **ReportId** ID for tying together events stream side.
-- **ResultCode** Result returned by setup for the entire operation.
+- **ResultCode** Result returned for the entire setup operation.
- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
- **ScenarioId** Identifies the update scenario.
- **TargetBranch** Branch of the target OS.
@@ -5675,7 +5984,7 @@ The following fields are available:
- **PertProb** Constant used in algorithm for randomization.
-## Microsoft Store events
+## Windows Store events
### Microsoft.Windows.Store.StoreActivating
@@ -5947,9 +6256,9 @@ The following fields are available:
- **CatalogId** The name of the product catalog from which this app was chosen.
- **FailedRetry** Indicates whether the installation or update retry was successful.
-- **HResult** The HResult code of the operation.
-- **PFN** The Package Family Name of the app that is being installed or updated.
-- **ProductId** The product ID of the app that is being updated or installed.
+- **HResult** Resulting HResult error/success code of this call
+- **PFN** Package Family Name of the app that being installed or updated
+- **ProductId** Product Id of the app that is being updated or installed
### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
@@ -6114,7 +6423,7 @@ The following fields are available:
- **current** Result of currency check.
- **dismOperationSucceeded** Dism uninstall operation status.
-- **hResult** Failure Error code.
+- **hResult** Failure error code.
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
@@ -6259,7 +6568,7 @@ The following fields are available:
- **background** Indicates whether the download is happening in the background.
- **bytesRequested** Number of bytes requested for the download.
- **callerName** Name of the API caller.
-- **cdnUrl** The URL of the source CDN
+- **cdnUrl** The URL of the source Content Distribution Network (CDN).
- **costFlags** A set of flags representing network cost.
- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
- **diceRoll** Random number used for determining if a client will use peering.
@@ -6334,21 +6643,21 @@ This event collects information regarding the state of devices and drivers on th
The following fields are available:
- **activated** Whether the entire device manifest update is considered activated and in use.
-- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis.
+- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
- **flightId** Unique ID for each flight.
-- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system.
-- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system.
+- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
+- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
- **objectId** Unique value for each diagnostics session.
-- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices.
+- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices.
- **relatedCV** Correlation vector value generated from the latest USO scan.
- **scenarioId** Indicates the update scenario.
- **sessionId** Unique value for each update session.
-- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on.
+- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
-- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string.
-- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
-- **updateId** Unique ID for each Update.
+- **updateId** The unique ID for each update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
@@ -6419,11 +6728,11 @@ This event collects information regarding the install phase of the new device ma
The following fields are available:
- **errorCode** The error code returned for the current install phase.
-- **flightId** Unique ID for each flight.
+- **flightId** The unique identifier for each flight (pre-release builds).
- **objectId** Unique value for each diagnostics session.
-- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **relatedCV** Correlation vector value generated from the latest scan.
- **result** Outcome of the install phase of the update.
-- **scenarioId** Indicates the update scenario.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
- **sessionId** Unique value for each update session.
- **updateId** Unique ID for each Update.
@@ -6434,13 +6743,13 @@ This event sends data for the start of each mode during the process of updating
The following fields are available:
-- **flightId** Unique ID for each flight.
-- **mode** The mode that is starting.
+- **flightId** The unique identifier for each flight (pre-release builds).
+- **mode** Indicates the active Update Agent mode.
- **objectId** Unique value for each diagnostics session.
-- **relatedCV** Correlation vector value generated from the latest USO scan.
-- **scenarioId** Indicates the update scenario.
-- **sessionId** Unique value for each update session.
-- **updateId** Unique ID for each Update.
+- **relatedCV** Correlation vector value generated from the latest scan.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId** The unique identifier for each update session.
+- **updateId** The unique identifier for each Update.
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
@@ -6565,6 +6874,22 @@ The following fields are available:
- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time.
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog
+
+This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings).
+- **ETag** The OneSettings versioning value.
+- **ExitCode** Indicates how users exited the reboot reminder dialog box.
+- **RebootVersion** The version of the DTE (Direct-to-Engaged).
+- **UpdateId** The ID of the update that is waiting for reboot to finish installation.
+- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation.
+- **UserResponseString** The option chosen by the user on the reboot dialog box.
+- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC).
+
+
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
@@ -6597,6 +6922,12 @@ The following fields are available:
- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedSecondRebootReminderDialog
+
+This event is sent when a second reminder dialog is displayed during Enhanced Engaged Reboot.
+
+
+
### Microsoft.Windows.Update.NotificationUx.RebootScheduled
Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
@@ -6671,7 +7002,7 @@ The following fields are available:
- **displayNeededReason** List of reasons for needing display.
- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
-- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery)..
+- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
- **gameModeReason** Name of the executable that caused the game mode state check to start.
- **ignoredReason** List of reasons that were intentionally ignored.
- **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery).
@@ -6688,20 +7019,20 @@ This event indicates that a scan for a Windows Update occurred.
The following fields are available:
-- **deferReason** Reason why the device could not check for updates.
-- **detectionBlockingPolicy** State of update action.
-- **detectionBlockreason** State of update action
+- **deferReason** The reason why the device could not check for updates.
+- **detectionBlockingPolicy** The Policy that blocked detection.
+- **detectionBlockreason** The reason detection did not complete.
- **detectionRetryMode** Indicates whether we will try to scan again.
-- **errorCode** Error info
+- **errorCode** The error code returned for the current process.
- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **flightID** The specific ID of the Windows Insider build the device is getting.
-- **interactive** Indicates whether the session was user initiated.
-- **networkStatus** Error info
-- **revisionNumber** Update revision number.
-- **scanTriggerSource** Source of the triggered scan.
-- **updateId** Update ID.
-- **updateScenarioType** Device ID
-- **wuDeviceid** Device ID
+- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
+- **interactive** Indicates whether the user initiated the session.
+- **networkStatus** Indicates if the device is connected to the internet.
+- **revisionNumber** The Update revision number.
+- **scanTriggerSource** The source of the triggered scan.
+- **updateId** The unique identifier of the Update.
+- **updateScenarioType** Identifies the type of update session being performed.
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
@@ -6785,7 +7116,7 @@ This event is sent during update scan, download, or install, and indicates that
The following fields are available:
-- **configVersion** Escalation config version on device.
+- **configVersion** The escalation configuration version on the device.
- **downloadElapsedTime** Indicates how long since the download is required on device.
- **downloadRiskLevel** At-risk level of download phase.
- **installElapsedTime** Indicates how long since the install is required on device.
@@ -6861,7 +7192,7 @@ The following fields are available:
- **deferReason** Reason for install not completing.
- **errorCode** The error code reppresented by a hexadecimal value.
- **eventScenario** End-to-end update session ID.
-- **flightID** Unique update ID
+- **flightID** The ID of the Windows Insider build the device is getting.
- **flightUpdate** Indicates whether the update is a Windows Insider build.
- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
@@ -6907,15 +7238,15 @@ This event is sent after a Windows update install completes.
The following fields are available:
-- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **bundleId** Identifier associated with the specific content bundle.
+- **batteryLevel** Current battery capacity in megawatt-hours (mWh) or percentage left.
+- **bundleId** The unique identifier associated with the specific content bundle.
- **bundleRevisionnumber** Identifies the revision number of the content bundle.
- **errorCode** The error code returned for the current phase.
- **eventScenario** State of update action.
-- **flightID** The flight ID of the device
+- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
- **sessionType** The Windows Update session type (Interactive or Background).
-- **updateScenarioType** The update session type.
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **updateScenarioType** Identifies the type of Update session being performed.
+- **wuDeviceid** The unique device identifier used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
@@ -7188,7 +7519,7 @@ The following fields are available:
- **scheduledRebootTime** Time scheduled for the reboot.
- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC.
- **updateId** Identifies which update is being scheduled.
-- **wuDeviceid** Unique DeviceID
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
@@ -7234,21 +7565,21 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS
The following fields are available:
-- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **ClientId** The client ID used by Windows Update.
+- **FlightId** The ID of each Windows Insider build the device received.
+- **InstanceId** A unique device ID that identifies each update instance.
- **MitigationScenario** The update scenario in which the mitigation was executed.
-- **MountedImageCount** Number of mounted images.
-- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT.
-- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
-- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
-- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **MountedImageCount** The number of mounted images.
+- **MountedImageMatches** The number of mounted image matches.
+- **MountedImagesFailed** The number of mounted images that could not be removed.
+- **MountedImagesRemoved** The number of mounted images that were successfully removed.
+- **MountedImagesSkipped** The number of mounted images that were not found.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
- **Result** HResult of this operation.
- **ScenarioId** ID indicating the mitigation scenario.
- **ScenarioSupported** Indicates whether the scenario was supported.
- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each Update.
+- **UpdateId** Unique ID for each Windows Update.
- **WuId** Unique ID for the Windows Update client.
@@ -7297,6 +7628,38 @@ The following fields are available:
- **WuId** Unique ID for the Windows Update client.
+## Windows Update Reserve Manager events
+
+### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
+
+
+
+### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError
+
+This event is sent when the Update Reserve Manager returns an error from one of its internal functions.
+
+
+
+### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization
+
+This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot.
+
+
+
+### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
+
+
+
+### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed.
+
+
+
## Winlogon events
### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 639c8005ed..73ccbef0c7 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -9,7 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
ms.author: brianlic
-ms.date: 12/13/2018
+ms.date: 02/15/2019
---
@@ -306,7 +306,7 @@ The following fields are available:
- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers.
-- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device.
@@ -317,8 +317,8 @@ The following fields are available:
- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
@@ -331,7 +331,7 @@ The following fields are available:
- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
-- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
@@ -343,8 +343,8 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
@@ -356,7 +356,7 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
@@ -367,8 +367,8 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
@@ -380,7 +380,7 @@ The following fields are available:
- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device.
- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device.
@@ -393,7 +393,7 @@ The following fields are available:
- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device.
@@ -404,8 +404,8 @@ The following fields are available:
- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
@@ -418,7 +418,7 @@ The following fields are available:
- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device.
-- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
@@ -431,8 +431,8 @@ The following fields are available:
- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device.
+- **DecisionMatchingInfoBlock_RS4** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1803 present on this device.
- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device.
@@ -442,8 +442,8 @@ The following fields are available:
- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device.
- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device.
@@ -454,8 +454,8 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device.
@@ -467,8 +467,8 @@ The following fields are available:
- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device.
+- **DecisionMediaCenter_RS4** The total DecisionMediaCenter objects targeting Windows 10 version 1803 present on this device.
- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device.
@@ -478,8 +478,8 @@ The following fields are available:
- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
-- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device.
- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
@@ -487,6 +487,7 @@ The following fields are available:
- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device.
+- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device.
- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
- **InventoryDeviceContainer** A count of device container objects in cache.
@@ -496,25 +497,27 @@ The following fields are available:
- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventorySystemMachine** The count of the number of this particular object type present on this device.
+- **InventorySystemProcessor** The count of the number of this particular object type present on this device.
- **InventoryTest** The count of the number of this particular object type present on this device.
- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
- **PCFP** The count of the number of this particular object type present on this device.
- **SystemMemory** The count of the number of this particular object type present on this device.
- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
-- **SystemProcessorNx** The count of the number of this particular object type present on this device.
-- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device.
-- **SystemProcessorSse2** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The total number of objects of this type present on this device.
+- **SystemProcessorPrefetchW** The total number of objects of this type present on this device.
+- **SystemProcessorSse2** The total number of objects of this type present on this device.
- **SystemTouch** The count of the number of this particular object type present on this device.
-- **SystemWim** The count of the number of this particular object type present on this device.
+- **SystemWim** The total number of objects of this type present on this device.
- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
-- **SystemWlan** The count of the number of this particular object type present on this device.
+- **SystemWlan** The total number of objects of this type present on this device.
- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device.
- **Wmdrm_19H1** The count of the number of this particular object type present on this device.
- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device.
-- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers.
- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device.
- **Wmdrm_RS5** The count of the number of this particular object type present on this device.
@@ -573,6 +576,10 @@ The following fields are available:
- **ActiveNetworkConnection** Indicates whether the device is an active network device.
- **AppraiserVersion** The version of the appraiser file generating the events.
+- **CosDeviceRating** An enumeration that indicates if there is a driver on the target operating system.
+- **CosDeviceSolution** An enumeration that indicates how a driver on the target operating system is available.
+- **CosDeviceSolutionUrl** Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
+- **CosPopulatedFromId** The expected uplevel driver matching ID based on driver coverage data.
- **IsBootCritical** Indicates whether the device boot is critical.
- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device.
- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
@@ -870,6 +877,7 @@ The following fields are available:
- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block?
- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block?
+- **DriverIsTroubleshooterBlocked** Indicates whether the driver package is blocked because of a troubleshooter block.
- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
@@ -937,7 +945,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1320,6 +1328,7 @@ The following fields are available:
- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **CensusId** A unique hardware identifier.
- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
@@ -1780,7 +1789,7 @@ The following fields are available:
- **AppraiserTaskExitCode** The Appraiser task exist code.
- **AppraiserTaskLastRun** The last runtime for the Appraiser task.
- **CensusVersion** The version of Census that generated the current data for this device.
-- **IEVersion** IE version running on the device.
+- **IEVersion** The version of Internet Explorer that is running on the device.
### Census.Battery
@@ -1989,18 +1998,14 @@ The following fields are available:
- **AdvertisingId** Current state of the advertising ID setting.
- **AppDiagnostics** Current state of the app diagnostics setting.
- **Appointments** Current state of the calendar setting.
-- **AppointmentsSystem** Current state of the calendar setting.
- **Bluetooth** Current state of the Bluetooth capability setting.
- **BluetoothSync** Current state of the Bluetooth sync capability setting.
- **BroadFileSystemAccess** Current state of the broad file system access setting.
- **CellularData** Current state of the cellular data capability setting.
- **Chat** Current state of the chat setting.
-- **ChatSystem** Current state of the chat setting.
- **Contacts** Current state of the contacts setting.
-- **ContactsSystem** Current state of the Contacts setting.
- **DocumentsLibrary** Current state of the documents library setting.
- **Email** Current state of the email setting.
-- **EmailSystem** Current state of the email setting.
- **FindMyDevice** Current state of the "find my device" setting.
- **GazeInput** Current state of the gaze input setting.
- **HumanInterfaceDevice** Current state of the human interface device setting.
@@ -2012,7 +2017,6 @@ The following fields are available:
- **Microphone** Current state of the microphone setting.
- **PhoneCall** Current state of the phone call setting.
- **PhoneCallHistory** Current state of the call history setting.
-- **PhoneCallHistorySystem** Current state of the call history setting.
- **PicturesLibrary** Current state of the pictures library setting.
- **Radios** Current state of the radios setting.
- **SensorsCustom** Current state of the custom sensor setting.
@@ -2022,7 +2026,6 @@ The following fields are available:
- **USB** Current state of the USB setting.
- **UserAccountInformation** Current state of the account information setting.
- **UserDataTasks** Current state of the tasks setting.
-- **UserDataTasksSystem** Current state of the tasks setting.
- **UserNotificationListener** Current state of the notifications setting.
- **VideosLibrary** Current state of the videos library setting.
- **Webcam** Current state of the camera setting.
@@ -2035,7 +2038,7 @@ Provides information on several important data points about Processor settings
The following fields are available:
-- **KvaShadow** Microcode info of the processor.
+- **KvaShadow** This is the micro code information of the processor.
- **MMSettingOverride** Microcode setting of the processor.
- **MMSettingOverrideMask** Microcode setting override of the processor.
- **PreviousUpdateRevision** Previous microcode revision
@@ -2046,10 +2049,10 @@ The following fields are available:
- **ProcessorManufacturer** Name of the processor manufacturer.
- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
-- **ProcessorUpdateRevision** Microcode revision
+- **ProcessorUpdateRevision** The microcode revision.
- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
- **SocketCount** Count of CPU sockets.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+- **SpeculationControl** Indicates whether the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Security
@@ -2097,6 +2100,7 @@ The following fields are available:
- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **StorageReservePassedPolicy** Indicates whether the Storage Reserve policy, which ensures that updates have enough disk space and customers are on the latest OS, is enabled on this device.
- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
@@ -2159,18 +2163,14 @@ The following fields are available:
- **AdvertisingId** Current state of the advertising ID setting.
- **AppDiagnostics** Current state of the app diagnostics setting.
- **Appointments** Current state of the calendar setting.
-- **AppointmentsSystem** Current state of the calendar setting.
- **Bluetooth** Current state of the Bluetooth capability setting.
- **BluetoothSync** Current state of the Bluetooth sync capability setting.
- **BroadFileSystemAccess** Current state of the broad file system access setting.
- **CellularData** Current state of the cellular data capability setting.
- **Chat** Current state of the chat setting.
-- **ChatSystem** Current state of the chat setting.
- **Contacts** Current state of the contacts setting.
-- **ContactsSystem** Current state of the contacts setting.
- **DocumentsLibrary** Current state of the documents library setting.
- **Email** Current state of the email setting.
-- **EmailSystem** Current state of the email setting.
- **GazeInput** Current state of the gaze input setting.
- **HumanInterfaceDevice** Current state of the human interface device setting.
- **InkTypeImprovement** Current state of the improve inking and typing setting.
@@ -2182,7 +2182,6 @@ The following fields are available:
- **Microphone** Current state of the microphone setting.
- **PhoneCall** Current state of the phone call setting.
- **PhoneCallHistory** Current state of the call history setting.
-- **PhoneCallHistorySystem** Current state of the call history setting.
- **PicturesLibrary** Current state of the pictures library setting.
- **Radios** Current state of the radios setting.
- **SensorsCustom** Current state of the custom sensor setting.
@@ -2192,7 +2191,6 @@ The following fields are available:
- **USB** Current state of the USB setting.
- **UserAccountInformation** Current state of the account information setting.
- **UserDataTasks** Current state of the tasks setting.
-- **UserDataTasksSystem** Current state of the tasks setting.
- **UserNotificationListener** Current state of the notifications setting.
- **VideosLibrary** Current state of the videos library setting.
- **Webcam** Current state of the camera setting.
@@ -2542,6 +2540,42 @@ The following fields are available:
- **transactionCanceled** Indicates whether the uninstall was cancelled.
+### CbsServicingProvider.CbsQualityUpdateInstall
+
+This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date.
+
+The following fields are available:
+
+- **buildVersion** The build version number of the update package.
+- **clientId** The name of the application requesting the optional content.
+- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device.
+- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure.
+- **currentStateEnd** The final state of the package after the operation has completed.
+- **doqTimeSeconds** The time in seconds spent updating drivers.
+- **executeTimeSeconds** The number of seconds required to execute the install.
+- **failureDetails** The driver or installer that caused the update to fail.
+- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred.
+- **hrStatusEnd** The return code of the install operation.
+- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file.
+- **majorVersion** The major version number of the update package.
+- **minorVersion** The minor version number of the update package.
+- **originalState** The starting state of the package.
+- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation.
+- **planTimeSeconds** The time in seconds required to plan the update operations.
+- **poqTimeSeconds** The time in seconds processing file and registry operations.
+- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update.
+- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot.
+- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed.
+- **rebootCount** The number of reboots required to install the update.
+- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update.
+- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update.
+- **revisionVersion** The revision version number of the update package.
+- **rptTimeSeconds** The time in seconds spent executing installer plugins.
+- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update.
+- **stackRevision** The revision number of the servicing stack.
+- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update.
+
+
## Deployment extensions
### DeploymentTelemetry.Deployment_End
@@ -2609,7 +2643,7 @@ The following fields are available:
- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in.
- **BatteryLevelAtLastShutdown** The last recorded battery level.
- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown.
-- **CrashDumpEnabled** Are crash dumps enabled?
+- **CrashDumpEnabled** Indicates whether crash dumps are enabled.
- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset.
- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported.
- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware.
@@ -2630,36 +2664,36 @@ The following fields are available:
- **LastBugCheckVersion** The version of the information struct written during the crash.
- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown.
- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button.
-- **OOBEInProgress** Identifies if OOBE is running.
+- **OOBEInProgress** Identifies if the Out-Of-Box-Experience is running.
- **OSSetupInProgress** Identifies if the operating system setup is running.
-- **PowerButtonCumulativePressCount** How many times has the power button been pressed?
-- **PowerButtonCumulativeReleaseCount** How many times has the power button been released?
-- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics.
-- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed.
-- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed.
-- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released.
-- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released.
+- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released").
+- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed").
+- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file).
+- **PowerButtonLastPressBootId** BootId of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released").
+- **PowerButtonLastPressTime** Date/time of the last time the Power Button was pressed ("pressed" not to be confused with "released").
+- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed").
+- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed").
- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed.
- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed.
-- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
+- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed.
- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid.
- **StaleBootStatData** Identifies if the data from bootstat is stale.
-- **TransitionInfoBootId** BootId of the captured transition info.
-- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode.
-- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode.
-- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode.
-- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode.
-- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoBootId** The Boot ID of the captured transition information.
+- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved.
+- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited").
+- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered").
+- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved.
+- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp.
- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved.
- **TransitionInfoLidState** Describes the state of the laptop lid.
-- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed.
-- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode.
-- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode.
-- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running.
+- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime).
+- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved.
+- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved.
+- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved.
- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed.
- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed.
- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition.
@@ -3369,6 +3403,7 @@ The following fields are available:
- **GPUVendorID** The GPU vendor ID.
- **InterfaceId** The GPU interface ID.
- **IsDisplayDevice** Does the GPU have displaying capabilities?
+- **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling.
- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
- **IsLDA** Is the GPU comprised of Linked Display Adapters?
@@ -3382,6 +3417,7 @@ The following fields are available:
- **IsSoftwareDevice** Is this a software implementation of the GPU?
- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store.
- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **MsHybridDiscrete** Indicates whether the adapter is a discrete adapter in a hybrid configuration.
- **NumVidPnSources** The number of supported display output sources.
- **NumVidPnTargets** The number of supported display output targets.
- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
@@ -3393,6 +3429,81 @@ The following fields are available:
- **WDDMVersion** The Windows Display Driver Model version.
+## Failover Clustering events
+
+### Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
+
+This event returns information about how many resources and of what type are in the server cluster. This data is collected to keep Windows Server safe, secure, and up to date. The data includes information about whether hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by attributing issues (like fatal errors) to workloads and system configurations.
+
+The following fields are available:
+
+- **autoAssignSite** The cluster parameter: auto site.
+- **autoBalancerLevel** The cluster parameter: auto balancer level.
+- **autoBalancerMode** The cluster parameter: auto balancer mode.
+- **blockCacheSize** The configured size of the block cache.
+- **ClusterAdConfiguration** The ad configuration of the cluster.
+- **clusterAdType** The cluster parameter: mgmt_point_type.
+- **clusterDumpPolicy** The cluster configured dump policy.
+- **clusterFunctionalLevel** The current cluster functional level.
+- **clusterGuid** The unique identifier for the cluster.
+- **clusterWitnessType** The witness type the cluster is configured for.
+- **countNodesInSite** The number of nodes in the cluster.
+- **crossSiteDelay** The cluster parameter: CrossSiteDelay.
+- **crossSiteThreshold** The cluster parameter: CrossSiteThreshold.
+- **crossSubnetDelay** The cluster parameter: CrossSubnetDelay.
+- **crossSubnetThreshold** The cluster parameter: CrossSubnetThreshold.
+- **csvCompatibleFilters** The cluster parameter: ClusterCsvCompatibleFilters.
+- **csvIncompatibleFilters** The cluster parameter: ClusterCsvIncompatibleFilters.
+- **csvResourceCount** The number of resources in the cluster.
+- **currentNodeSite** The name configured for the current site for the cluster.
+- **dasModeBusType** The direct storage bus type of the storage spaces.
+- **downLevelNodeCount** The number of nodes in the cluster that are running down-level.
+- **drainOnShutdown** Specifies whether a node should be drained when it is shut down.
+- **dynamicQuorumEnabled** Specifies whether dynamic Quorum has been enabled.
+- **enforcedAntiAffinity** The cluster parameter: enforced anti affinity.
+- **genAppNames** The win32 service name of a clustered service.
+- **genSvcNames** The command line of a clustered genapp.
+- **hangRecoveryAction** The cluster parameter: hang recovery action.
+- **hangTimeOut** Specifies the “hang time out” parameter for the cluster.
+- **isCalabria** Specifies whether storage spaces direct is enabled.
+- **isMixedMode** Identifies if the cluster is running with different version of OS for nodes.
+- **isRunningDownLevel** Identifies if the current node is running down-level.
+- **logLevel** Specifies the granularity that is logged in the cluster log.
+- **logSize** Specifies the size of the cluster log.
+- **lowerQuorumPriorityNodeId** The cluster parameter: lower quorum priority node ID.
+- **minNeverPreempt** The cluster parameter: minimum never preempt.
+- **minPreemptor** The cluster parameter: minimum preemptor priority.
+- **netftIpsecEnabled** The parameter: netftIpsecEnabled.
+- **NodeCount** The number of nodes in the cluster.
+- **nodeId** The current node number in the cluster.
+- **nodeResourceCounts** Specifies the number of node resources.
+- **nodeResourceOnlineCounts** Specifies the number of node resources that are online.
+- **numberOfSites** The number of different sites.
+- **numNodesInNoSite** The number of nodes not belonging to a site.
+- **plumbAllCrossSubnetRoutes** The cluster parameter: plumb all cross subnet routes.
+- **preferredSite** The preferred site location.
+- **privateCloudWitness** Specifies whether a private cloud witness exists for this cluster.
+- **quarantineDuration** The quarantine duration.
+- **quarantineThreshold** The quarantine threshold.
+- **quorumArbitrationTimeout** In the event of an arbitration event, this specifies the quorum timeout period.
+- **resiliencyLevel** Specifies the level of resiliency.
+- **resourceCounts** Specifies the number of resources.
+- **resourceTypeCounts** Specifies the number of resource types in the cluster.
+- **resourceTypes** Data representative of each resource type.
+- **resourceTypesPath** Data representative of the DLL path for each resource type.
+- **sameSubnetDelay** The cluster parameter: same subnet delay.
+- **sameSubnetThreshold** The cluster parameter: same subnet threshold.
+- **secondsInMixedMode** The amount of time (in seconds) that the cluster has been in mixed mode (nodes with different operating system versions in the same cluster).
+- **securityLevel** The cluster parameter: security level.
+- **securityLevelForStorage** The cluster parameter: security level for storage.
+- **sharedVolumeBlockCacheSize** Specifies the block cache size for shared for shared volumes.
+- **shutdownTimeoutMinutes** Specifies the amount of time it takes to time out when shutting down.
+- **upNodeCount** Specifies the number of nodes that are up (online).
+- **useClientAccessNetworksForCsv** The cluster parameter: use client access networks for CSV.
+- **vmIsolationTime** The cluster parameter: VM isolation time.
+- **witnessDatabaseWriteTimeout** Specifies the timeout period for writing to the quorum witness database.
+
+
## Fault Reporting events
### Microsoft.Windows.FaultReporting.AppCrashEvent
@@ -3409,7 +3520,6 @@ The following fields are available:
- **ExceptionOffset** The address where the exception had occurred.
- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
-- **IsCrashFatal** (Deprecated) True/False to indicate whether the crash resulted in process termination.
- **IsFatal** True/False to indicate whether the crash resulted in process termination.
- **ModName** Exception module name (e.g. bar.dll).
- **ModTimeStamp** The date/time stamp of the module.
@@ -3425,6 +3535,20 @@ The following fields are available:
- **TargetAsId** The sequence number for the hanging process.
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
+
+This event indicates that the uninstall was properly configured and that a system reboot was initiated.
+
+
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
+
+This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems.
+
+
+
## Hang Reporting events
### Microsoft.Windows.HangReporting.AppHangEvent
@@ -3711,6 +3835,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
+- **audio.captureDriver** Audio device capture driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01
+- **audio.renderDriver** Audio device render driver. Example: hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01
- **Audio_CaptureDriver** The Audio device capture driver endpoint.
- **Audio_RenderDriver** The Audio device render driver endpoint.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -3748,34 +3874,35 @@ The following fields are available:
- **BusReportedDescription** The description of the device reported by the bux.
- **Class** The device setup class of the driver loaded for the device.
-- **ClassGuid** The device class GUID from the driver package
-- **COMPID** The device setup class guid of the driver loaded for the device.
-- **ContainerId** The list of compat ids for the device.
-- **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
-- **DeviceState** The device description.
-- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
-- **DriverName** A unique identifier for the driver installed.
-- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage
-- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
-- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **Enumerator** The date of the driver loaded for the device.
+- **ClassGuid** The device class unique identifier of the driver package loaded on the device.
+- **COMPID** The list of “Compatible IDs” for this device.
+- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to.
+- **Description** The description of the device.
+- **DeviceInterfaceClasses** The device interfaces that this device implements.
+- **DeviceState** Identifies the current state of the parent (main) device.
+- **DriverId** The unique identifier for the installed driver.
+- **DriverName** The name of the driver image file.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **DriverVerDate** The date associated with the driver installed on the device.
+- **DriverVerVersion** The version number of the driver installed on the device.
+- **Enumerator** Identifies the bus that enumerated the device.
- **ExtendedInfs** The extended INF file names.
-- **HWID** The version of the driver loaded for the device.
-- **Inf** The bus that enumerated the device.
-- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
-- **InventoryVersion** List of hardware ids for the device.
-- **LowerClassFilters** Lower filter class drivers IDs installed for the device
-- **LowerFilters** Lower filter drivers IDs installed for the device
-- **Manufacturer** INF file name (the name could be renamed by OS, such as oemXX.inf)
-- **MatchingID** Device installation state.
-- **Model** The version of the inventory binary generating the events.
-- **ParentId** Lower filter class drivers IDs installed for the device.
-- **ProblemCode** Lower filter drivers IDs installed for the device.
-- **Provider** The device manufacturer.
-- **Service** The device service name
-- **STACKID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
-- **UpperClassFilters** Upper filter drivers IDs installed for the device
-- **UpperFilters** The device model.
+- **HWID** A list of hardware IDs for the device.
+- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** The version number of the inventory process generating the events.
+- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
+- **LowerFilters** The identifiers of the Lower filters installed for the device.
+- **Manufacturer** The manufacturer of the device.
+- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance.
+- **Model** Identifies the model of the device.
+- **ParentId** The Device Instance ID of the parent of the device.
+- **ProblemCode** The error code currently returned by the device, if applicable.
+- **Provider** Identifies the device provider.
+- **Service** The name of the device service.
+- **STACKID** The list of hardware IDs for the stack.
+- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device.
+- **UpperFilters** The identifiers of the Upper filters installed for the device.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
@@ -3817,7 +3944,6 @@ The following fields are available:
This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
-This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -3974,30 +4100,30 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **AddinCLSID** The CLSID for the Office add-in.
-- **AddInCLSID** CLSID key for the office addin
-- **AddInId** Office add-in ID.
-- **AddinType** Office add-in Type.
-- **BinFileTimestamp** Timestamp of the Office add-in.
-- **BinFileVersion** Version of the Office add-in.
-- **Description** Office add-in description.
-- **FileId** FileId of the Office add-in.
-- **FileSize** File size of the Office add-in.
-- **FriendlyName** Friendly name for office add-in.
-- **FullPath** Unexpanded path to the office add-in.
+- **AddinCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInCLSID** The class identifier key for the Microsoft Office add-in.
+- **AddInId** The identifier for the Microsoft Office add-in.
+- **AddinType** The type of the Microsoft Office add-in.
+- **BinFileTimestamp** The timestamp of the Office add-in.
+- **BinFileVersion** The version of the Microsoft Office add-in.
+- **Description** Description of the Microsoft Office add-in.
+- **FileId** The file identifier of the Microsoft Office add-in.
+- **FileSize** The file size of the Microsoft Office add-in.
+- **FriendlyName** The friendly name for the Microsoft Office add-in.
+- **FullPath** The full path to the Microsoft Office add-in.
- **InventoryVersion** The version of the inventory binary generating the events.
-- **LoadBehavior** Uint32 that describes the load behavior.
-- **LoadTime** Load time for the office addin
-- **OfficeApplication** The office application for this add-in.
-- **OfficeArchitecture** Architecture of the add-in.
-- **OfficeVersion** The office version for this add-in.
-- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add-in.
+- **LoadBehavior** Integer that describes the load behavior.
+- **LoadTime** Load time for the Office add-in.
+- **OfficeApplication** The Microsoft Office application associated with the add-in.
+- **OfficeArchitecture** The architecture of the add-in.
+- **OfficeVersion** The Microsoft Office version for this add-in.
+- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in.
- **ProductCompany** The name of the company associated with the Office add-in.
-- **ProductName** The product name associated with the Office add-in.
+- **ProductName** The product name associated with the Microsoft Office add-in.
- **ProductVersion** The version associated with the Office add-in.
-- **ProgramId** The unique program identifier of the Office add-in.
+- **ProgramId** The unique program identifier of the Microsoft Office add-in.
- **Provider** Name of the provider for this add-in.
-- **Usage** Data regarding usage of the add-in.
+- **Usage** Data about usage for the add-in.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
@@ -4159,10 +4285,10 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
-- **BrowserFlags** Browser flags for Office-related products.
-- **ExchangeProviderFlags** Provider policies for Office Exchange.
+- **BrowserFlags** Browser flags for Office-related products
+- **ExchangeProviderFlags** Provider policies for Office Exchange
- **InventoryVersion** The version of the inventory binary generating the events.
-- **SharedComputerLicensing** Office shared computer licensing policies.
+- **SharedComputerLicensing** Office shared computer licensing policies
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
@@ -4315,6 +4441,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
- **IndicatorValue** The indicator value.
+- **Value** Describes an operating system indicator that may be relevant for the device upgrade.
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
@@ -4376,6 +4503,80 @@ The following fields are available:
- **UserInputTime** The amount of time the loader application spent waiting for user input.
+## Miracast events
+
+### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
+
+This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session
+
+The following fields are available:
+
+- **AudioChannelCount** The number of audio channels.
+- **AudioSampleRate** The sample rate of audio in terms of samples per second.
+- **AudioSubtype** The unique subtype identifier of the audio codec (encoding method) used for audio encoding.
+- **AverageBitrate** The average video bitrate used during the Miracast session, in bits per second.
+- **AverageDataRate** The average available bandwidth reported by the WiFi driver during the Miracast session, in bits per second.
+- **AveragePacketSendTimeInMs** The average time required for the network to send a sample, in milliseconds.
+- **ConnectorType** The type of connector used during the Miracast session.
+- **EncodeAverageTimeMS** The average time to encode a frame of video, in milliseconds.
+- **EncodeCount** The count of total frames encoded in the session.
+- **EncodeMaxTimeMS** The maximum time to encode a frame, in milliseconds.
+- **EncodeMinTimeMS** The minimum time to encode a frame, in milliseconds.
+- **EncoderCreationTimeInMs** The time required to create the video encoder, in milliseconds.
+- **ErrorSource** Identifies the component that encountered an error that caused a disconnect, if applicable.
+- **FirstFrameTime** The time (tick count) when the first frame is sent.
+- **FirstLatencyMode** The first latency mode.
+- **FrameAverageTimeMS** Average time to process an entire frame, in milliseconds.
+- **FrameCount** The total number of frames processed.
+- **FrameMaxTimeMS** The maximum time required to process an entire frame, in milliseconds.
+- **FrameMinTimeMS** The minimum time required to process an entire frame, in milliseconds.
+- **Glitches** The number of frames that failed to be delivered on time.
+- **HardwareCursorEnabled** Indicates if hardware cursor was enabled when the connection ended.
+- **HDCPState** The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended.
+- **HighestBitrate** The highest video bitrate used during the Miracast session, in bits per second.
+- **HighestDataRate** The highest available bandwidth reported by the WiFi driver, in bits per second.
+- **LastLatencyMode** The last reported latency mode.
+- **LogTimeReference** The reference time, in tick counts.
+- **LowestBitrate** The lowest video bitrate used during the Miracast session, in bits per second.
+- **LowestDataRate** The lowest video bitrate used during the Miracast session, in bits per second.
+- **MediaErrorCode** The error code reported by the media session, if applicable.
+- **MiracastEntry** The time (tick count) when the Miracast driver was first loaded.
+- **MiracastM1** The time (tick count) when the M1 request was sent.
+- **MiracastM2** The time (tick count) when the M2 request was sent.
+- **MiracastM3** The time (tick count) when the M3 request was sent.
+- **MiracastM4** The time (tick count) when the M4 request was sent.
+- **MiracastM5** The time (tick count) when the M5 request was sent.
+- **MiracastM6** The time (tick count) when the M6 request was sent.
+- **MiracastM7** The time (tick count) when the M7 request was sent.
+- **MiracastSessionState** The state of the Miracast session when the connection ended.
+- **MiracastStreaming** The time (tick count) when the Miracast session first started processing frames.
+- **ProfileCount** The count of profiles generated from the receiver M4 response.
+- **ProfileCountAfterFiltering** The count of profiles after filtering based on available bandwidth and encoder capabilities.
+- **RefreshRate** The refresh rate set on the remote display.
+- **RotationSupported** Indicates if the Miracast receiver supports display rotation.
+- **RTSPSessionId** The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for the same session.
+- **SessionGuid** The unique identifier of to correlate various Miracast events from a session.
+- **SinkHadEdid** Indicates if the Miracast receiver reported an EDID.
+- **SupportMicrosoftColorSpaceConversion** Indicates whether the Microsoft color space conversion for extra color fidelity is supported by the receiver.
+- **SupportsMicrosoftDiagnostics** Indicates whether the Miracast receiver supports the Microsoft Diagnostics Miracast extension.
+- **SupportsMicrosoftFormatChange** Indicates whether the Miracast receiver supports the Microsoft Format Change Miracast extension.
+- **SupportsMicrosoftLatencyManagement** Indicates whether the Miracast receiver supports the Microsoft Latency Management Miracast extension.
+- **SupportsMicrosoftRTCP** Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast extension.
+- **SupportsMicrosoftVideoFormats** Indicates whether the Miracast receiver supports Microsoft video format for 3:2 resolution.
+- **SupportsWiDi** Indicates whether Miracast receiver supports Intel WiDi extensions.
+- **TeardownErrorCode** The error code reason for teardown provided by the receiver, if applicable.
+- **TeardownErrorReason** The text string reason for teardown provided by the receiver, if applicable.
+- **UIBCEndState** Indicates whether UIBC was enabled when the connection ended.
+- **UIBCEverEnabled** Indicates whether UIBC was ever enabled.
+- **UIBCStatus** The result code reported by the UIBC setup process.
+- **VideoBitrate** The starting bitrate for the video encoder.
+- **VideoCodecLevel** The encoding level used for encoding, specific to the video subtype.
+- **VideoHeight** The height of encoded video frames.
+- **VideoSubtype** The unique subtype identifier of the video codec (encoding method) used for video encoding.
+- **VideoWidth** The width of encoded video frames.
+- **WFD2Supported** Indicates if the Miracast receiver supports WFD2 protocol.
+
+
## OneDrive events
### Microsoft.OneDrive.Sync.Setup.APIOperation
@@ -4509,6 +4710,71 @@ The following fields are available:
- **userRegionCode** The current user's region setting
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+
+## Sediment events
+
+### Microsoft.Windows.Sediment.Info.DetailedState
+
+This event is sent when detailed state information is needed from an update trial run.
+
+The following fields are available:
+
+- **Data** Data relevant to the state, such as what percent of disk space the directory takes up.
+- **Id** Identifies the trial being run, such as a disk related trial.
+- **ReleaseVer** The version of the component.
+- **State** The state of the reporting data from the trial, such as the top-level directory analysis.
+- **Time** The time the event was fired.
+
+
+### Microsoft.Windows.Sediment.Info.Error
+
+This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
+
+The following fields are available:
+
+- **FailureType** The type of error encountered.
+- **FileName** The code file in which the error occurred.
+- **HResult** The failure error code.
+- **LineNumber** The line number in the code file at which the error occurred.
+- **ReleaseVer** The version information for the component in which the error occurred.
+- **Time** The system time at which the error occurred.
+
+
+### Microsoft.Windows.Sediment.Info.PhaseChange
+
+The event indicates progress made by the updater. This information assists in keeping Windows up to date.
+
+The following fields are available:
+
+- **NewPhase** The phase of progress made.
+- **ReleaseVer** The version information for the component in which the change occurred.
+- **Time** The system time at which the phase chance occurred.
+
+
## Setup events
### SetupPlatformTel.SetupPlatformTelActivityEvent
@@ -4548,15 +4814,6 @@ The following fields are available:
- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
-### SetupPlatformTel.SetupPlatfOrmTelEvent
-
-This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
-
-The following fields are available:
-
-- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
-
-
## Software update events
### SoftwareUpdateClientTelemetry.CheckForUpdates
@@ -4660,6 +4917,7 @@ The following fields are available:
- **BundleRevisionNumber** Identifies the revision number of the content bundle
- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** Version number of the software distribution client
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
- **DeviceModel** Device model as defined in the system bios
- **EventInstanceID** A globally unique identifier for event instance
- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
@@ -4667,7 +4925,7 @@ The following fields are available:
- **FlightId** The specific id of the flight the device is getting
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Identifies the revision number of this specific piece of content
-- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
- **SystemBIOSMajorRelease** Major release version of the system bios
- **SystemBIOSMinorRelease** Minor release version of the system bios
- **UpdateId** Identifier associated with the specific piece of content
@@ -4680,11 +4938,11 @@ Download process event for target update on Windows Update client. See the Event
The following fields are available:
-- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload.
- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
-- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
-- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - only the content required to launch the app is being downloaded; "AutomaticContentOnly" - only the optional [automatic] content for the app (the ones that can downloaded after the app has been launched) is being downloaded; "AllContent" - all content for the app, including the optional [automatic] content, is being downloaded.
+- **AppXDownloadScope** Indicates the scope of the download for application content.
+- **AppXScope** Indicates the scope of the app download.
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
- **BiosReleaseDate** The release date of the device BIOS.
@@ -4692,28 +4950,28 @@ The following fields are available:
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId** Identifier associated with the specific content bundle.
- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
-- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. This value can be one of the following: (1) express download method was used for download; (2) SelfContained download method was used for download indicating the update had no express content; (3) SelfContained download method was used indicating that the update has an express payload, but the server is not hosting it; (4) SelfContained download method was used indicating that range requests are not supported; (5) SelfContained download method was used indicating that the system does not support express download (dpx.dll is not present); (6) SelfContained download method was used indicating that self-contained download method was selected previously; (7) SelfContained download method was used indicating a fall back to self-contained if the number of requests made by DPX exceeds a certain threshold.
+- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable.
+- **CallerApplicationName** The name provided by the application that initiated API calls into the software distribution client.
+- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download.
+- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology.
- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
- **ClientVersion** The version number of the software distribution client.
-- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
-- **ConnectTime** Indicates the cumulative sum (in seconds) of the time it took to establish the connection for all updates in an update bundle.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior.
+- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **DeviceModel** What is the device model.
+- **DeviceModel** The model of the device.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
-- **DownloadProps** Indicates a bitmask for download operations indicating: (1) if an update was downloaded to a system volume (least significant bit i.e. bit 0); (2) if the update was from a channel other than the installed channel (bit 1); (3) if the update was for a product pinned by policy (bit 2); (4) if the deployment action for the update is uninstall (bit 3).
-- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **DownloadProps** Information about the download operation.
+- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
-- **EventType** Possible values are Child, Bundle, or Driver.
+- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed.
+- **EventType** Identifies the type of the event (Child, Bundle, or Driver).
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
@@ -4728,38 +4986,38 @@ The following fields are available:
- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **NetworkCost** A flag indicating the cost of the network used for downloading the update content. The values can be: 0x0 (Unkown); 0x1 (Network cost is unrestricted); 0x2 (Network cost is fixed); 0x4 (Network cost is variable); 0x10000 (Network cost over data limit); 0x20000 (Network cost congested); 0x40000 (Network cost roaming); 0x80000 (Network cost approaching data limit).
+- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
- **PackageFullName** The package name of the content.
- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
-- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **PostDnldTime** Time (in seconds) taken to signal download completion after the last job completed downloading the payload.
+- **ProcessName** The process name of the application that initiated API calls, in the event where CallerApplicationName was not provided.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background.
- **RegulationReason** The reason that the update is regulated
- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
-- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
-- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
-- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
-- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload.
+- **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector.
+- **RepeatFailCount** Indicates whether this specific content has previously failed.
+- **RepeatFailFlag** Indicates whether this specific content previously failed to download.
+- **RevisionNumber** The revision number of the specified piece of content.
+- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade.
+- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped.
+- **SizeCalcTime** Time (in seconds) taken to calculate the total download size of the payload.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package.
- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
-- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes** The total size (in Bytes) expected to be downloaded.
- **UpdateId** An identifier associated with the specific piece of content.
- **UpdateID** An identifier associated with the specific piece of content.
-- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **UsedDO** Whether the download used the delivery optimization service.
+- **UpdateImportance** Indicates whether the content was marked as Important, Recommended, or Optional.
+- **UsedDO** Indicates whether the download used the Delivery Optimization (DO) service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -4838,6 +5096,7 @@ The following fields are available:
- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
- **CSIErrorType** The stage of CBS installation where it failed.
- **CurrentMobileOperator** The mobile operator to which the device is currently connected.
+- **DeploymentProviderMode** The mode of operation of the update deployment provider.
- **DeviceModel** The device model.
- **DriverPingBack** Contains information about the previous driver and system state.
- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
@@ -4924,7 +5183,7 @@ The following fields are available:
- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one.
- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
@@ -4984,7 +5243,7 @@ The following fields are available:
- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one.
- **RepeatFailCount** Indicates whether this specific piece of content previously failed.
- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.).
- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
@@ -5016,28 +5275,28 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether
The following fields are available:
- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
-- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
-- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
-- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
-- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ExtendedStatusCode** The secondary status code of the event.
+- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed.
- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
-- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
- **RevisionId** The revision ID for a specific piece of content.
- **RevisionNumber** The revision number for a specific piece of content.
-- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob
+- **SHA256OfTimestampToken** An encoded string of the timestamp token.
- **SignatureAlgorithm** The hash algorithm for the metadata signature.
-- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
-- **StatusCode** Result code of the event (success, cancellation, failure code HResult)
-- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token.
-- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode** The status code of the event.
+- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
- **UpdateId** The update ID for a specific piece of content.
-- **ValidityWindowInDays** Validity window in effect when verifying the timestamp
+- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
## System Resource Usage Monitor events
@@ -5133,6 +5392,7 @@ The following fields are available:
- **RangeRequestState** Indicates the range request type used.
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **Result** Outcome of the download request phase of update.
+- **SandboxTaggedForReserves** The sandbox for reserves.
- **ScenarioId** Indicates the update scenario.
- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
- **UpdateId** Unique ID for each update.
@@ -5360,6 +5620,24 @@ The following fields are available:
- **UserSession** Indicates whether install was invoked by user actions.
+## Update notification events
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current UNP package version.
+
+
## Upgrade events
### FacilitatorTelemetry.DCATDownload
@@ -5374,6 +5652,22 @@ The following fields are available:
- **ResultCode** Result returned by the Facilitator DCAT call.
- **Scenario** Dynamic update scenario (Image DU, or Setup DU).
- **Type** Type of package that was downloaded.
+- **UpdateId** The ID of the update that was downloaded.
+
+
+### FacilitatorTelemetry.DUDownload
+
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
+
+The following fields are available:
+
+- **DownloadRequestAttributes** The attributes sent for download.
+- **PackageCategoriesFailed** Lists the categories of packages that failed to download.
+- **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped.
+- **ResultCode** The result of the event execution.
+- **Scenario** Identifies the active Download scenario.
+- **Url** The URL the download request was sent to.
+- **Version** Identifies the version of Facilitator used.
### FacilitatorTelemetry.InitializeDU
@@ -5591,7 +5885,7 @@ The following fields are available:
- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
- **Operation** Facilitator’s last known operation (scan, download, etc.).
- **ReportId** ID for tying together events stream side.
-- **ResultCode** Result returned by setup for the entire operation.
+- **ResultCode** Result returned for the entire setup operation.
- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
- **ScenarioId** Identifies the update scenario.
- **TargetBranch** Branch of the target OS.
@@ -5693,6 +5987,7 @@ The following fields are available:
- **detectionSummary** Result of each applicable detection that was run.
- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
- **hrEngineResult** Error code from the engine operation.
+- **insufficientSessions** Device not eligible for diagnostics.
- **isInteractiveMode** The user started a run of WaaSMedic.
- **isManaged** Device is managed for updates.
- **isWUConnected** Device is connected to Windows Update.
@@ -5754,7 +6049,7 @@ The following fields are available:
- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”.
-## Microsoft Store events
+## Windows Store events
### Microsoft.Windows.Store.StoreActivating
@@ -6033,7 +6328,9 @@ This event is sent at the beginning of an app install or update to help keep Win
The following fields are available:
- **CatalogId** The name of the product catalog from which this app was chosen.
+- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product.
- **PFN** The Package Family Name of the app that is being installed or updated.
+- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in.
- **ProductId** The product ID of the app that is being updated or installed.
@@ -6224,6 +6521,7 @@ The following fields are available:
- **bytesFromCDN** The number of bytes received from a CDN source.
- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLinkLocalPeers** The number of bytes received from local peers.
- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
- **bytesRequested** The total number of bytes requested for download.
@@ -6251,7 +6549,9 @@ The following fields are available:
- **isVpn** Is the device connected to a Virtual Private Network?
- **jobID** Identifier for the Windows Update job.
- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network.
- **numPeers** The total number of peers used for this download.
+- **numPeersLocal** The total number of local peers used for this download.
- **predefinedCallerName** The name of the API Caller.
- **restrictedUpload** Is the upload restricted?
- **routeToCacheServer** The cache server setting, source, and value.
@@ -6298,6 +6598,7 @@ The following fields are available:
- **doClientVersion** The version of the Delivery Optimization client.
- **doErrorCode** The Delivery Optimization error code that was returned.
- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeReason** Reason for the download.
- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
- **errorCode** The error code that was returned.
- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing.
@@ -6363,21 +6664,21 @@ This event collects information regarding the state of devices and drivers on th
The following fields are available:
- **activated** Whether the entire device manifest update is considered activated and in use.
-- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis.
+- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
- **flightId** Unique ID for each flight.
-- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system.
-- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system.
+- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
+- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
- **objectId** Unique value for each diagnostics session.
-- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices.
+- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices.
- **relatedCV** Correlation vector value generated from the latest USO scan.
- **scenarioId** Indicates the update scenario.
- **sessionId** Unique value for each update session.
-- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on.
+- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
-- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string.
-- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
-- **updateId** Unique ID for each Update.
+- **updateId** The unique ID for each update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
@@ -6448,13 +6749,13 @@ This event collects information regarding the install phase of the new device ma
The following fields are available:
- **errorCode** The error code returned for the current install phase.
-- **flightId** The unique identifier for each flight.
+- **flightId** The unique identifier for each flight (pre-release builds).
- **objectId** The unique identifier for each diagnostics session.
-- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **relatedCV** Correlation vector value generated from the latest scan.
- **result** Outcome of the install phase of the update.
-- **scenarioId** The unique identifier for the update scenario.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
- **sessionId** The unique identifier for each update session.
-- **updateId** The unique identifier for each update.
+- **updateId** The unique identifier for each Update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
@@ -6463,13 +6764,13 @@ This event sends data for the start of each mode during the process of updating
The following fields are available:
-- **flightId** The unique identifier for each flight.
-- **mode** The mode that is starting.
-- **objectId** The unique value for each diagnostics session.
-- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **flightId** The unique identifier for each flight (pre-release builds).
+- **mode** Indicates the active Update Agent mode.
+- **objectId** Unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest scan.
- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
-- **sessionId** Unique value for each Update Agent mode attempt.
-- **updateId** Unique identifier for each update.
+- **sessionId** The unique identifier for each update session.
+- **updateId** The unique identifier for each Update.
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
@@ -6498,6 +6799,22 @@ The following fields are available:
- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time.
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
+
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose on this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
+
+
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed..
@@ -6562,6 +6879,42 @@ The following fields are available:
- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC).
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast
+
+This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the pop-up banner.
+- **RebootVersion** The version of the reboot logic.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in the pop-up banner.
+- **UtcTime** The time that the pop-up banner was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
+
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
+
+The following fields are available:
+
+- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device.
+- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours.
+- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically).
+- **rebootState** The current state of the restart.
+- **rebootUsingSmartScheduler** Indicates whether the reboot is scheduled by smart scheduler.
+- **revisionNumber** Revision number of the update that is getting installed with this restart.
+- **scheduledRebootTime** Time of the scheduled restart.
+- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time.
+- **updateId** ID of the update that is getting installed with this restart.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
This event indicates a policy is present that may restrict update activity to outside of active hours.
@@ -6622,20 +6975,20 @@ This event indicates that a scan for a Windows Update occurred.
The following fields are available:
-- **deferReason** Reason why the device could not check for updates.
-- **detectionBlockingPolicy** State of update action.
-- **detectionBlockreason** Reason for detection not completing.
+- **deferReason** The reason why the device could not check for updates.
+- **detectionBlockingPolicy** The Policy that blocked detection.
+- **detectionBlockreason** The reason detection did not complete.
- **detectionRetryMode** Indicates whether we will try to scan again.
-- **errorCode** The returned error code.
+- **errorCode** The error code returned for the current process.
- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **flightID** The specific ID of the Windows Insider build the device is getting.
-- **interactive** Indicates whether the session was user initiated.
-- **networkStatus** Error info
-- **revisionNumber** Update revision number.
-- **scanTriggerSource** Source of the triggered scan.
-- **updateId** Update ID.
-- **updateScenarioType** Update Session type
-- **wuDeviceid** Device ID
+- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable.
+- **interactive** Indicates whether the user initiated the session.
+- **networkStatus** Indicates if the device is connected to the internet.
+- **revisionNumber** The Update revision number.
+- **scanTriggerSource** The source of the triggered scan.
+- **updateId** The unique identifier of the Update.
+- **updateScenarioType** Identifies the type of update session being performed.
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
@@ -6700,6 +7053,23 @@ The following fields are available:
- **wuDeviceid** Device ID used by Windows Update.
+### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels
+
+This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date.
+
+The following fields are available:
+
+- **configVersion** The escalation configuration version on the device.
+- **downloadElapsedTime** Indicates how long since the download is required on device.
+- **downloadRiskLevel** At-risk level of download phase.
+- **installElapsedTime** Indicates how long since the install is required on device.
+- **installRiskLevel** The at-risk level of install phase.
+- **isSediment** Assessment of whether is device is at risk.
+- **scanElapsedTime** Indicates how long since the scan is required on device.
+- **scanRiskLevel** At-risk level of the scan phase.
+- **wuDeviceid** Device ID used by Windows Update.
+
+
### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask
This event indicated that USO failed to add a trigger time to a task.
@@ -6718,6 +7088,7 @@ The following fields are available:
- **EventPublishedTime** Time when this event was generated.
- **flightID** The specific ID of the Windows Insider build.
+- **inapplicableReason** The reason why the update is inapplicable.
- **revisionNumber** Update revision number.
- **updateId** Unique Windows Update ID.
- **updateScenarioType** Update session type.
@@ -6739,7 +7110,7 @@ The following fields are available:
- **revisionNumber** Revision number of the update.
- **updateId** Update ID.
- **updateScenarioType** The update session type.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated.
- **wuDeviceid** Unique device ID used by Windows Update.
@@ -6753,7 +7124,7 @@ The following fields are available:
- **deferReason** Reason for install not completing.
- **errorCode** The error code reppresented by a hexadecimal value.
- **eventScenario** End-to-end update session ID.
-- **flightID** Unique update ID
+- **flightID** The ID of the Windows Insider build the device is getting.
- **flightUpdate** Indicates whether the update is a Windows Insider build.
- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored.
@@ -7028,7 +7399,7 @@ The following fields are available:
- **scheduledRebootTime** Time scheduled for the reboot.
- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC.
- **updateId** Identifies which update is being scheduled.
-- **wuDeviceid** Unique DeviceID
+- **wuDeviceid** The unique device ID used by Windows Update.
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
@@ -7069,21 +7440,43 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS
The following fields are available:
-- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **ClientId** The client ID used by Windows Update.
+- **FlightId** The ID of each Windows Insider build the device received.
+- **InstanceId** A unique device ID that identifies each update instance.
- **MitigationScenario** The update scenario in which the mitigation was executed.
-- **MountedImageCount** Number of mounted images.
-- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT.
-- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
-- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
-- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **MountedImageCount** The number of mounted images.
+- **MountedImageMatches** The number of mounted image matches.
+- **MountedImagesFailed** The number of mounted images that could not be removed.
+- **MountedImagesRemoved** The number of mounted images that were successfully removed.
+- **MountedImagesSkipped** The number of mounted images that were not found.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
- **Result** HResult of this operation.
- **ScenarioId** ID indicating the mitigation scenario.
- **ScenarioSupported** Indicates whether the scenario was supported.
- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each Update.
+- **UpdateId** Unique ID for each Windows Update.
+- **WuId** Unique ID for the Windows Update client.
+
+
+### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
+
+This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates.
+
+The following fields are available:
+
+- **ClientId** Unique identifier for each flight.
+- **FlightId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** The update scenario in which the mitigation was executed.
+- **MitigationScenario** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them.
+- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required.
+- **ReparsePointsSkipped** HResult of this operation.
+- **Result** ID indicating the mitigation scenario.
+- **ScenarioId** Indicates whether the scenario was supported.
+- **ScenarioSupported** Unique value for each update attempt.
+- **SessionId** Unique ID for each Update.
+- **UpdateId** Unique ID for the Windows Update client.
- **WuId** Unique ID for the Windows Update client.
@@ -7110,6 +7503,57 @@ The following fields are available:
- **WuId** Unique ID for the Windows Update client.
+## Windows Update Reserve Manager events
+
+### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
+
+The following fields are available:
+
+- **FinalAdjustment** Final adjustment for the hard reserve following the addition or removal of optional content.
+- **InitialAdjustment** Initial intended adjustment for the hard reserve following the addition/removal of optional content.
+
+
+### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError
+
+This event is sent when the Update Reserve Manager returns an error from one of its internal functions.
+
+The following fields are available:
+
+- **FailedExpression** The failed expression that was returned.
+- **FailedFile** The binary file that contained the failed function.
+- **FailedFunction** The name of the function that originated the failure.
+- **FailedLine** The line number of the failure.
+- **ReturnCode** The return code of the function.
+
+
+### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization
+
+This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot.
+
+The following fields are available:
+
+- **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization.
+
+
+### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
+
+
+
+### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
+
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed.
+
+The following fields are available:
+
+- **ChangeSize** The change in the hard reserve size based on the addition or removal of optional content.
+- **PendingHardReserveAdjustment** The final change to the hard reserve size.
+- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve.
+
+
## Winlogon events
### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
new file mode 100644
index 0000000000..94caf55f34
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -0,0 +1,42 @@
+---
+title: WebAuthn APIs
+description: Enabling password-less authentication for your sites and apps
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: aabhathipsay
+ms.author: aathipsa
+ms.localizationpriority: medium
+ms.date: 02/15/2019
+---
+# WebAuthn APIs for password-less authentication on Windows 10
+
+
+### Passwords leave your customers vulnerable. With the new WebAuthn APIs, your sites and apps can leverage password-less authentication.
+
+Microsoft has long been a proponent to do away with passwords.
+While working towards that goal, we'd like to introduce you to the latest Windows 10 (version 1903) W3C/FIDO2 Win32 WebAuthn platform APIs!
+These APIs allow Microsoft developer partners and the developer community to leverage Windows Hello and FIDO2 security keys
+as a password-less authentication mechanism for their applications on Windows 10 devices.
+
+#### What does this mean?
+This opens opportunities for developers or relying parties (RPs) to enable password-less authentication.
+They can now leverage [Windows Hello](https://aka.ms/whfb) or [FIDO2 Security Keys](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key)
+as a password-less multi-factor credential for authentication.
+
+Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
+ and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs site!
+
+The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later
+ and latest versions of other browsers.
+
+Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users.
+ Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC and BLE
+ without having to deal with the interaction and management overhead.
+This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO related messaging.
+
+#### Where can developers learn more?
+The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index b8d18d2c76..0db3bc6070 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -104,7 +104,7 @@ Sign in the domain controller with _domain administrator_ equivalent credentials
##### Add accounts to the Phonefactor Admins group
1. Open **Active Directory Users and Computers**.
-2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**.
+2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**.
3. Click the **Members** tab.
4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**.
* The computer account for the primary MFA Server
@@ -224,7 +224,7 @@ See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Wi
Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server.
>[!IMPORTANT]
->Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article.
+>Only follow the above mention article to install Azure MFA Server. Once it is installed, continue configuration using this article.
### Configuring Company Settings
@@ -541,4 +541,4 @@ The Multi-Factor Authentication server communicates with the Azure MFA cloud ser
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
+5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 491f941bf8..972960257a 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 02/04/2019
+ms.date: 02/19/2019
---
# BitLocker: How to deploy on Windows Server 2012 and later
@@ -41,12 +41,7 @@ Windows PowerShell offers administrators another option for BitLocker feature in
### Using the servermanager module to install BitLocker
-The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. This can be determined using the `Get-WindowsFeature` cmdlet with a query such as:
-
-``` syntax
-Get-WindowsFeature Bit
-```
-The results of this command displays a table of all of the feature names beginning with “Bit” as their prefix. This allows you to confirm that the feature name is `BitLocker` for the BitLocker feature.
+The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell.
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 68675bb3d6..6d4df86d67 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -62,7 +62,7 @@ For Encrypted Hard Drives used as **startup drives**:
## Technical overview
-Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
+Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
## Configuring Encrypted Hard Drives as Startup drives
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index d1c214ecbe..7bd8b0766d 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -7,7 +7,7 @@
##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
-###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
+###### [System integrity](windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
@@ -122,7 +122,9 @@
### [Configure and manage capabilities](windows-defender-atp/onboard.md)
#### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
-##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
+####Hardware-based isolation
+##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+##### [Application isolation](windows-defender-application-guard/install-wd-app-guard.md)
###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### Device control
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index e74b6ea5f4..acafa8b532 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Coin miners
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index b33d8c80f8..8c2b11944e 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Coordinated Malware Eradication
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 10391a6db9..c0a0e11884 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/01/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# How Microsoft identifies malware and potentially unwanted applications
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
index 8a1c4b9338..37903b6e79 100644
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
---
# Industry collaboration programs
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index e6979a1851..a2bbd64cbe 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -10,7 +10,10 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 07/01/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Software developer FAQ
@@ -18,24 +21,29 @@ ms.date: 07/01/2018
This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
## Does Microsoft accept files for a known list or false-positive prevention program?
+
No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers.
## How do I dispute the detection of my program?
-Submit the file in question as a software developer. Wait until your submission has a final determination.
+
+Submit the file in question as a software developer. Wait until your submission has a final determination.
If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software.
## Why is Microsoft asking for a copy of my program?
+
This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
## Why does Microsoft classify my installer as a software bundler?
+
It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
## Why is the Windows Firewall blocking my program?
+
This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
-This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
+This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md
index 4e1e50a9d6..64dc28a46a 100644
--- a/windows/security/threat-protection/intelligence/developer-info.md
+++ b/windows/security/threat-protection/intelligence/developer-info.md
@@ -10,14 +10,19 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 07/13/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Information for developers
+
Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
-## In this section
-Topic | Description
+## In this section
+
+Topic | Description
:---|:---
[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest Security intelligence and cloud protection from Microsoft.
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index 78e8f2f4e8..49f709ec74 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -6,11 +6,14 @@ search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
+ms.localizationpriority: medium
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 07/13/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Software developer resources
@@ -19,7 +22,9 @@ Concerned about the detection of your software?
If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis.
Check out the following resources for information on how to submit and view submissions:
+
- [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
+
- [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
## Additional resources
@@ -34,4 +39,4 @@ Find more guidance about the file submission and detection dispute process in ou
### Scan your software
-Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) to check your software against the latest Security intelligence and cloud protection from Microsoft.
+Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
index 460e31a545..9a519a1f3d 100644
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Exploits and exploit kits
@@ -26,7 +29,7 @@ The infographic below shows how an exploit kit might attempt to exploit a device
-*Example of how exploit kits work*
+*Figure 1. Example of how exploit kits work*
Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index 435ac333f9..51d21fcd0c 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -6,12 +6,15 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: eravena
-author: eavena
-ms.date: 09/14/2018
+ms.author: ellevin
+author: levinec
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
-#Fileless threats
+# Fileless threats
What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate.
@@ -24,50 +27,50 @@ To shed light on this loaded term, we grouped fileless threats into different ca
We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts.
-Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
+Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
-From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
+From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
-##Type I: No file activity performed
+## Type I: No file activity performed
-A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
+A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls.
Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
-##Type II: Indirect file activity
+## Type II: Indirect file activity
-There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
+There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
-##Type III: Files required to operate
+## Type III: Files required to operate
Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
*Figure 2. Kovter’s registry key*
-When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
+When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
-##Categorizing fileless threats by infection host
+## Categorizing fileless threats by infection host
Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.
-###Exploits
+### Exploits
**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
-###Hardware
+### Hardware
**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
@@ -79,7 +82,7 @@ Having described the broad categories, we can now dig into the details and provi
**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
-###Execution and injection
+### Execution and injection
**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
@@ -89,8 +92,8 @@ Having described the broad categories, we can now dig into the details and provi
**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
-##Defeating fileless malware
+## Defeating fileless malware
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
index 1b234b902e..cde3c3a454 100644
--- a/windows/security/threat-protection/intelligence/index.md
+++ b/windows/security/threat-protection/intelligence/index.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
---
# Security intelligence
@@ -19,6 +22,6 @@ Here you will find information about different types of malware, safety tips on
* [Submit files for analysis](submission-guide.md)
* [Safety Scanner download](safety-scanner-download.md)
-Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
+Keep up with the latest malware news and research. Check out our [Windows security blogs](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index 1feeecd262..f58b40e4bf 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Macro malware
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index 2dd0229441..c2073434a4 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Malware names
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index bc99e5240b..31666e81cb 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Phishing
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 4340c81fde..6826c7b1af 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -8,14 +8,15 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Prevent malware infection
Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
-You can also browse the many [software and application solutions](https://review.docs.microsoft.com/en-us/windows/security/intelligence/prevent-malware-infection?branch=wdsi-migration-stuff#software-solutions) available to you.
-
## Keep software up-to-date
[Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
@@ -28,7 +29,7 @@ Email and other messaging tools are a few of the most common ways your device ca
* Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering.
-For more information, see [Phishing](phishing.md).
+For more information, see [phishing](phishing.md).
## Watch out for malicious or compromised websites
@@ -50,7 +51,7 @@ Using pirated content is not only illegal, it can also expose your device to mal
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
-To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/windows-10-s?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
+To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/en-us/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
## Don't attach unfamiliar removable drives
@@ -94,7 +95,7 @@ Microsoft provides comprehensive security capabilities that help protect against
* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
-* [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
+* [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
@@ -114,4 +115,4 @@ Microsoft provides comprehensive security capabilities that help protect against
Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects.
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
\ No newline at end of file
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index 3441ceb6d7..5e39af26b7 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Ransomware
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index cf0bc0334f..7f3d5bf8b2 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Rootkits
@@ -50,7 +53,7 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment.
-[Windows Defender Offline](https://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
+[Windows Defender Offline](https://support.microsoft.com/help/17466/windows-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index b4f4ff5cc4..4ae4b880f3 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -6,11 +6,15 @@ ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-ms.date: 08/01/2018
+ms.author: ellevin
+author: levinec
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Microsoft Safety Scanner
+
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733)
@@ -24,12 +28,14 @@ Safety Scanner only scans when manually triggered and is available for use 10 da
> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
## System requirements
+
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
## How to run a scan
+
1. Download this tool and open it.
2. Select the type of scan you want run and start the scan.
-3. Review the scan results displayed on screen. The tool lists all identified malware.
+3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**.
To remove this tool, delete the executable file (msert.exe by default).
@@ -37,9 +43,9 @@ For more information about the Safety Scanner, see the support article on [how t
## Related resources
-- [Troubleshooting Safety Scanner](https://support.microsoft.com/kb/2520970)
-- [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender)
+- [Troubleshooting Safety Scanner](https://support.microsoft.com/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner)
+- [Windows Defender Antivirus](https://www.microsoft.com/windows/comprehensive-security)
- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
-- [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection)
-- [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission)
-- [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products)
\ No newline at end of file
+- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
+- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
+- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 8713b5332e..5ef22fbc0b 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/01/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Submit files for analysis
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
index 340a2bf9f0..82d2b453d7 100644
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Supply chain attacks
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 098be59223..461a852aa9 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Tech support scams
@@ -60,4 +63,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an
**www.microsoft.com/reportascam**
-You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.
+You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index fdb25b78be..db3886f938 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -8,11 +8,15 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Top scoring in industry tests
-Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
+Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
## Endpoint detection & response
@@ -106,8 +110,8 @@ SE Labs tests a range of solutions used by products and services to detect and/o
It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
-The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
+The capabilities within [Windows Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Windows Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
-Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
+Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
index 47a21f4308..0494fb62b7 100644
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Trojans
@@ -37,6 +40,6 @@ Use the following free Microsoft software to detect and remove it:
- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
-- [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner)
+- [Microsoft Safety Scanner](safety-scanner-download.md)
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
index 2f819e06b0..afe18b8e94 100644
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -1,6 +1,6 @@
---
title: Understanding malware & other threats
-description: Learn about the world's most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them.
+description: Learn about the most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them.
keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi
ms.prod: w10
ms.mktglfcycl: secure
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
---
# Understanding malware & other threats
@@ -16,7 +19,7 @@ Malware is a term used to describe malicious applications and code that can caus
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
-As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf), businesses can stay protected with next-generation protection and other security capabilities.
+As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)), businesses can stay protected with next-generation protection and other security capabilities.
For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index 1bd6897c42..bea8e40fca 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Unwanted software
@@ -30,7 +33,7 @@ Here are some indications of unwanted software:
Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser.
-Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software.
+Microsoft uses an extensive [evaluation criteria](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria) to identify unwanted software.
## How to protect against unwanted software
@@ -57,4 +60,4 @@ If you only recently noticed symptoms of unwanted software infection, consider s
You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index 7ce546eeed..b7d6bd79e6 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Virus Information Alliance
@@ -46,4 +49,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
\ No newline at end of file
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 7536a99f1e..f87f26230b 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 07/12/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Microsoft Virus Initiative
@@ -54,4 +57,4 @@ Your organization must meet the following eligibility requirements to participat
### Apply now
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
\ No newline at end of file
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index c9e7ce8541..0916baf125 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -8,7 +8,10 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
---
# Worms
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index 1423972366..d50f975bc2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
-ms.date: 02/28/2018
+ms.date: 02/19/2019
---
# Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business
@@ -16,4 +16,25 @@ ms.date: 02/28/2018
**Applies to:**
- Windows 10
-- Windows Server 2016
\ No newline at end of file
+- Windows Server 2019
+- Windows Server 2016
+
+You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed.
+
+## Sign your code integrity policy
+Before you get started, be sure to review these best practices:
+
+**Best practices**
+
+- Test your code integrity policies on a pilot group of devices before deploying them to production.
+- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](hhttps://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create).
+
+**To sign a code integrity policy**
+
+1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
+2. Click **Manage**, click **Store settings**, and then click **Device Guard**.
+3. Click **Upload** to upload your code integrity policy.
+4. After the files are uploaded, click **Sign** to sign the code integrity policy.
+5. Click **Download** to download the signed code integrity policy.
+
+ When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 1ec89ed28f..68919bc05b 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
-ms.date: 02/07/2019
+ms.date: 02/19/2019
---
# Prepare to install Windows Defender Application Guard
@@ -58,7 +58,7 @@ Employees can use hardware-isolated browsing sessions without any administrator
Applies to:
- Windows 10 Enterprise edition, version 1709 or higher
-You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests tooad non-enterprise domain(s) in the container.
+You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
The following diagram shows the flow between the host PC and the isolated container.
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index b31f4ecc52..d3ddc702eb 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -5,7 +5,7 @@
#### [Hardware-based isolation](overview-hardware-based-isolation.md)
##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md)
-##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
+##### [System integrity](../windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
@@ -120,7 +120,9 @@
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
-#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
+###Hardware-based isolation
+#### [System integrity](../windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
+#### [Application isolation](../windows-defender-application-guard/install-wd-app-guard.md)
##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
#### Device control
@@ -136,7 +138,6 @@
#### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
#### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
index 70e3d006fa..0db8c85384 100644
--- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
@@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 04/24/2018
---
# Enable conditional access to better protect users, devices, and data
@@ -57,7 +56,7 @@ There are three ways to address a risk:
2. Resolve active alerts on the machine. This will remove the risk from the machine.
3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine.
-Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](#configure-conditional-access).
+Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md).
When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
diff --git a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md
deleted file mode 100644
index b1928497b1..0000000000
--- a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: How hardware-based containers help protect Windows 10 (Windows 10)
-description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-author: justinha
-ms.date: 08/01/2018
----
-
-
-# Windows Defender System Guard: How hardware-based containers help protect Windows 10
-
-Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
-Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard.
-
-Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make the these security guarantees:
-
-- Protect and maintain the integrity of the system as it starts up
-- Protect and maintain the integrity of the system after it's running
-- Validate that system integrity has truly been maintained through local and remote attestation
-
-## Maintaining the integrity of the system as it starts
-
-With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
-
-After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection.
-
-This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the system’s antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start.
-
-
-
-## Maintaining integrity of the system after it’s running (run time)
-
-Prior to Windows 10, if an attacker exploited the system and gained SYSTEM level privilege or they compromised the kernel itself, it was game over. The level of control that an attacker would acquire in this condition would enable them to tamper with and bypass many, if not all, of your system defenses. While we have a number of development practices and technologies (such as Windows Defender Exploit Guard) that have made it difficult to gain this level of privilege in Windows 10, the reality is that we needed a way to maintain the integrity of the most sensitive Windows services and data, even when the highest level of privilege has been secured by an adversary.
-
-With Windows 10, we introduced the concept of virtualization-based security (VBS), which enables us to contain the most sensitive Windows services and data in hardware-based isolation, which is the Windows Defender System Guard container. This secure environment provides us with the hardware-based security boundary we need to be able to secure and maintain the integrity of critical system services at run time like Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender Exploit Guard, just to name a few.
-
-
-
-## Validating platform integrity after Windows is running (run time)
-
-While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
-
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
-
-
-
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index c60119b6e2..b20c0b27fa 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -26,11 +26,15 @@ ms.topic: conceptual
The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink)
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-abovefoldlink)
-Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
+Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
+For more information on capabilities that are generally available or in preview, see [What's new in Windows Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp).
+)
+
+## Turn on preview features
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming features.
@@ -39,22 +43,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-## Preview features
-The following features are included in the preview release:
-
-- [Information protection](information-protection-in-windows-overview.md)
-Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
-
-- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
-Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
-
-
-- [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#windows-server-version-1803-and-windows-server-2019)
-Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-
-- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
-
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
index 15fb762c58..89ee51ebff 100644
--- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
@@ -35,13 +35,16 @@ The following steps guide you on how to create roles in Windows Defender Securit
3. Enter the role name, description, and permissions you'd like to assign to the role.
- **Role name**
-
- **Description**
-
- **Permissions**
- **View data** - Users can view information in the portal.
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
+ - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
+
+ >[!NOTE]
+ >This setting is only available in the Windows Defender ATP administrator (default) role.
+
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
4. Click **Next** to assign the role to an Azure AD group.
diff --git a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md
index 17510d55c1..38ca10ad59 100644
--- a/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md
+++ b/windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md
@@ -5,88 +5,119 @@ keywords: what's new in windows defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
-ms.mktglfcycl: deploy
+ms.mktglfcycl: secure
ms.sitesec: library
ms.pagetype: security
-ms.author: dansimp
-author: dansimp
+ms.author: macapara
+author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
-ms.topic: article
+ms.topic: conceptual
---
# What's new in Windows Defender ATP
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Here are the new features in the latest release of Windows Defender ATP.
+Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server.
-## Windows Defender ATP 1809
-- [Incidents](incidents-queue.md)
-Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
+## February 2019
+The following capabilities are generally available (GA).
+- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
-- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)
Support for iOS and Android devices are now supported.
-
-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
-Controlled folder access is now supported on Windows Server 2019.
-
-- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
-All Attack surface reduction rules are now supported on Windows Server 2019.
-For Windows 10, version 1809 there are two new attack surface reduction rules:
- - Block Adobe Reader from creating child processes
- - Block Office communication application from creating child processes.
-
-- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
- - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- - Windows Defender Antivirus can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
- - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans.
-
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
-- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
+## October 2018
+The following capabilities are generally available (GA).
+
+- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
All Attack surface reduction rules are now supported on Windows Server 2019.
+
+- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
Controlled folder access is now supported on Windows Server 2019.
+
+- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+
+- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
+
+- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)
iOS and Android devices are now supported and can be onboarded to the service.
+
+- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
-With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
-
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
-Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+- New in Windows 10 version 1809, there are two new attack surface reduction rules:
+ - Block Adobe Reader from creating child processes
+ - Block Office communication application from creating child processes.
+
+- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
+ - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
+ - Windows Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) (preview), increasing its security.
+ - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus) for Windows Defender Antivirus scans.
-- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
-Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
-- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
-Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+### In preview
+The following capabilities are included in the October 2018 preview release.
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
-Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+For more information on how to turn on preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
-Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
+- [Information protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview)
+Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
+Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
+
+ >[!NOTE]
+ >Partially available from Windows 10, version 1809.
-- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
-Windows Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
+- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
-## Windows Defender ATP 1803
-- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
-New attack surface reduction rules:
+ >[!NOTE]
+ >Available from Windows 10, version 1809 or later.
+
+- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+
+- [Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
+
+
+## March 2018
+- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+Query data using Advanced hunting in Windows Defender ATP.
+
+- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+ New attack surface reduction rules:
- Use advanced protection against ransomware
- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- Block process creations originating from PSExec and WMI commands
- Block untrusted and unsigned processes that run from USB
- Block executable content from email client and webmail
+- [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
Use Automated investigations to investigate and remediate threats.
-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
+ >[!NOTE]
+ >Available from Windows 10, version 1803 or later.
+
+- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
Enable conditional access to better protect users, devices, and data.
+
+- [Windows Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
+ The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
+
+- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
-- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
-Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus).
-- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
Query data using Advanced hunting in Windows Defender ATP
+- [Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
+ Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network.
-- [Automated investigation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
Use Automated investigations to investigate and remediate threats
+- [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
+ Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.
+
+
+- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)
+Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. For more information, see [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus).
+
+ Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus).
-- [Conditional access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
Enable conditional access to better protect users, devices, and data
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 5d0bab6314..f010ab338b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -1,6 +1,6 @@
---
title: Use attack surface reduction rules to prevent malware infection
-description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
+description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 11/29/2018
---
# Reduce attack surfaces with attack surface reduction rules
@@ -20,26 +19,25 @@ ms.date: 11/29/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides:
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1803 or later, or Windows Server 2019.
-- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- - Executable files and scripts used in Office apps or web mail that attempt to download or run files
- - Scripts that are obfuscated or otherwise suspicious
- - Behaviors that apps undertake that are not usually initiated during normal day-to-day work
-- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks
-- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled
+To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
-When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
+Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
-Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
+- Executable files and scripts used in Office apps or web mail that attempt to download or run files
+- Obfuscated or otherwise suspicious scripts
+- Behaviors that apps don't usually initiate during normal day-to-day work
-## Requirements
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Windows Defender ATP Security Center and on the M365 console.
+
+For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
## Attack surface reduction rules
-The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table.
+The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy:
Rule name | GUID
-|-
@@ -50,7 +48,7 @@ Block Office applications from injecting code into other processes | 75668C1F-73
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
@@ -58,147 +56,186 @@ Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9
Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-### Rule: Block executable content from email client and webmail
+Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.
-This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
+### Block executable content from email client and webmail
+
+This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-- Script archive files
-### Rule: Block all Office applications from creating child processes
+Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
-Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
+SCCM name: Block executable content from email client and webmail
->[!NOTE]
->This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes).
+GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+### Block all Office applications from creating child processes
-### Rule: Block Office applications from creating executable content
+This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
-This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
+This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings.
-Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
+Intune name: Office apps launching child processes
-### Rule: Block Office applications from injecting code into other processes
+SCCM name: Block Office application from creating child processes
-Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes.
+GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
+### Block Office applications from creating executable content
-### Rule: Block JavaScript or VBScript From launching downloaded executable content
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
-JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
+This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
-This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
+Intune name: Office apps/macros creating executable content
-### Rule: Block execution of potentially obfuscated scripts
+SCCM name: Block Office applications from creating executable content
-Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
+GUID: 3B576869-A4EC-4529-8536-B80A7769E899
-This rule prevents scripts that appear to be obfuscated from running.
+### Block Office applications from injecting code into other processes
-### Rule: Block Win32 API calls from Office macro
+Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
-Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system.
+This rule applies to Word, Excel, and PowerPoint.
-This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote.
+Intune name: Office apps injecting code into other processes (no exceptions)
-### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+SCCM name: Block Office applications from injecting code into other processes
+
+GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+
+### Block JavaScript or VBScript from launching downloaded executable content
+
+Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
+
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers. You can exclude scripts so they're allowed to run.
+
+>[!IMPORTANT]
+>File and folder exclusions don't apply to this attack surface reduction rule.
+
+Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
+
+SCCM name: Block JavaScript or VBScript from launching downloaded executable content
+
+GUID: D3E037E1-3EB8-44C8-A917-57927947596D
+
+### Block execution of potentially obfuscated scripts
+
+Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script.
+
+Intune name: Obfuscated js/vbs/ps/macro code
+
+SCCM name: Block execution of potentially obfuscated scripts.
+
+GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+
+### Block Win32 API calls from Office macros
+
+Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface.
+
+Intune name: Win32 imports from Office macro code
+
+SCCM name: Block Win32 API calls from Office macros
+
+GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
+This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
- Executable files (such as .exe, .dll, or .scr)
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
+
+SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
+
+GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
-### Rule: Use advanced protection against ransomware
+### Use advanced protection against ransomware
-This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
+This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
>[!NOTE]
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+Intune name: Advanced ransomware protection
+
+SCCM name: Use advanced protection against ransomware
+
+GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
-### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE]
- >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
+ >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
+Intune name: Flag credential stealing from the Windows local security authority subsystem
+
+SCCM name: Block credential stealing from the Windows local security authority subsystem
+
+GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+
+### Block process creations originating from PSExec and WMI commands
-### Rule: Block process creations originating from PSExec and WMI commands
-
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
+>[!IMPORTANT]
+>File and folder exclusions do not apply to this attack surface reduction rule.
+
>[!WARNING]
->[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
+>Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
+
+Intune name: Process creation from PSExec and WMI commands
+
+SCCM name: Not applicable
+
+GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
-### Rule: Block untrusted and unsigned processes that run from USB
+### Block untrusted and unsigned processes that run from USB
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-### Rule: Block Office communication application from creating child processes
+Intune name: Untrusted and unsigned processes that run from USB
-Outlook will not be allowed to create child processes.
+SCCM name: Block untrusted and unsigned processes that run from USB
-This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+
+### Block Office communication application from creating child processes
+
+This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
>[!NOTE]
->This rule applies to Outlook only.
+>This rule applies to Outlook and Outlook.com only.
-### Rule: Block Adobe Reader from creating child processes
+Intune name: Not yet available
-This rule blocks Adobe Reader from creating child processes.
+SCCM name: Not yet available
-## Review attack surface reduction rule events in the Windows Defender ATP Security Center
+GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
-Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+### Block Adobe Reader from creating child processes
-You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled.
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
-## Review attack surface reduction rule events in Windows Event Viewer
+Intune name: Not applicable
-You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
+SCCM name: Not applicable
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
+GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-3. On the left panel, under **Actions**, click **Import custom view...**
-
-4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-5. Click **OK**.
-
-6. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
-
- Event ID | Description
--|-
-5007 | Event when settings are changed
-1122 | Event when rule fires in Audit-mode
-1121 | Event when rule fires in Block-mode
-
-### Event fields
-
-- **ID**: matches with the Rule-ID that triggered the block/audit.
-- **Detection time**: Time of detection
-- **Process Name**: The process that performed the "operation" that was blocked/audited
-- **Description**: Additional details about the event or audit, including Security intelligence, engine, and product version of Windows Defender Antivirus
-
-## Attack surface reduction rules in Windows 10 Enterprise E3
-
-A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3).
-
- ## In this section
-
-Topic | Description
----|---
-[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
-[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
-[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.
+## Related topics
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 8e84a3872c..c89bbdc0fa 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -11,101 +11,168 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 10/17/2018
---
# Enable attack surface reduction rules
-**Applies to:**
+[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
-Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
+## Exclude files and folders from ASR rules
+
+You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
+
+>[!WARNING]
+>Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
+>
+>If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+
+>[!IMPORTANT]
+>File and folder exclusions do not apply to the following ASR rules:
+>
+>- Block process creations originating from PSExec and WMI commands
+>- Block JavaScript or VBScript from launching downloaded executable content
+
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
+
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+
+The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
## Enable and audit attack surface reduction rules
-You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
+It's best to use an enterprise-level management platform like Intune or System Center Configuration Manager (SCCM) to configure ASR rules, but you can also use Group Policy, PowerShell, or third-party mobile device management (MDM) CSPs.
-For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+>[!WARNING]
+>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy or PowerShell settings on startup.
-Attack surface reduction rules are identified by their unique rule ID.
+For a complete list of ASR rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md).
-You can manually add the rules by using the GUIDs in the following table:
+Each ASR rule contains three settings:
-Rule description | GUID
--|-
-Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550
-Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a
-Block Office applications from creating executable content | 3b576869-a4eC-4529-8536-b80a7769e899
-Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84
-Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d
-Block execution of potentially obfuscated scripts | 5beb7efe-fd9A-4556-801d-275e5ffc04cc
-Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+* Not configured: Disable the ASR rule
+* Block: Enable the ASR rule
+* Audit: Evaluate how the ASR rule would impact your organization if enabled
-See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+For further details on how audit mode works and when to use it, see [Audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
-### Use Group Policy to enable or audit attack surface reduction rules
+### Enable ASR rules in Intune
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. In Intune, select *Device configuration* > *Profiles*. Choose an existing endpoint protection profile or create a new one. To create a new one, select *Create profile* and enter information for this profile. For *Profile type*, select *Endpoint protection*. If you've chosen an existing profile, select *Properties* and then select *Settings*.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the *Endpoint protection* pane, select *Windows Defender Exploit Guard*, then select *Attack Surface Reduction*. Select the desired setting for each ASR rule.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+3. Under *Attack Surface Reduction exceptions*, you can enter individual files and folders, or you can select *Import* to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
+
+
-4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
+4. Select *OK* on the three configuration panes and then select *Create* if you're creating a new endpoint protection file or *Save* if you're editing an existing one.
+
+### Enable ASR rules in SCCM
+
+For information about enabling ASR rules and setting exclusions in SCCM, see [Create and deploy an Exploit Guard policy](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy).
+
+### Enable ASR rules with Group Policy
+
+>[!WARNING]
+>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+
+4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- - Block mode = 1
- - Disabled = 0
- - Audit mode = 2
+ - Disable = 0
+ - Block (enable ASR rule) = 1
+ - Audit = 2
-
+ 
+
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-### Use PowerShell to enable or audit attack surface reduction rules
+### Enable ASR rules with PowerShell
+
+>[!WARNING]
+>If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled
```
-You can enable the feature in audit mode using the following cmdlet:
+ To enable ASR rules in audit mode, use the following cmdlet:
-```PowerShell
-Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
-```
-Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
+ ```
->[!IMPORTANT>
->You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list.
->
->In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
->
->```PowerShell
->Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
->```
+ To turn off ASR rules, use the following cmdlet:
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled
+ ```
-You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+ >[!IMPORTANT]
+ >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
+ >
+ >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
+ >
+ >```PowerShell
+ >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
+ >```
->[!WARNING]
->`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
->You can obtain a list of rules and their current state by using `Get-MpPreference`
+ You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+ >[!WARNING]
+ >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
+ >You can obtain a list of rules and their current state by using `Get-MpPreference`
-### Use MDM CSPs to enable attack surface reduction rules
+3. To exclude files and folders from ASR rules, use the following cmdlet:
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
+ ```
+
+ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
+
+ >[!IMPORTANT]
+ >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+
+### Enable ASR rules with MDM CSPs
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+
+OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
+
+Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
+
+The values to enable, disable, or enable in audit mode are:
+
+- Disable = 0
+- Block (enable ASR rule) = 1
+- Audit = 2
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+
+Example:
+
+OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+
+Value: c:\path|e:\path|c:\Whitelisted.exe
+
+>[!NOTE]
+>Be sure to enter OMA-URI values without spaces.
## Related topics
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Customize attack surface reduction](customize-attack-surface-reduction.md)
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 79fb8541bf..4f95d8c023 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 10/02/2018
+ms.date: 02/14/2019
---
# Enable controlled folder access
@@ -20,7 +20,7 @@ ms.date: 10/02/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index 70500e0307..69d9054c81 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 02/14/2019
---
# Enable exploit protection
@@ -20,9 +20,9 @@ ms.date: 08/08/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
-Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
+Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
## Enable and audit exploit protection
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
index d147c77d43..ee0f20632d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 02/14/2019
---
# Enable network protection
@@ -20,7 +20,7 @@ ms.date: 05/30/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index b6ef34d2fc..78f14e5a59 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 11/29/2018
+ms.date: 02/14/2019
---
# Protect your network
@@ -71,7 +71,7 @@ You can review the Windows event log to see events that are created when network
1125 | Event when network protection fires in audit mode
1126 | Event when network protection fires in block mode
- ## In this section
+ ## Related topics
Topic | Description
---|---
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
index 5711270ae7..46df2bf21d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 09/18/2018
---
# Troubleshoot attack surface reduction rules
@@ -40,7 +39,7 @@ Attack surface reduction rules will only work on devices with the following cond
> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
+> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
@@ -61,7 +60,7 @@ Follow the instructions in [Use the demo tool to see how attack surface reductio
Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
+1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
new file mode 100644
index 0000000000..7531187507
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -0,0 +1,83 @@
+---
+title: How a hardware-based root of trust helps protect Windows 10 (Windows 10)
+description: Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: justinha
+ms.date: 02/14/2019
+---
+
+
+# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
+
+In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
+
+Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
+
+- Protect and maintain the integrity of the system as it starts up
+- Validate that system integrity has truly been maintained through local and remote attestation
+
+## Maintaining the integrity of the system as it starts
+
+### Static Root of Trust for Measurement (SRTM)
+
+With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
+This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
+
+With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
+This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
+This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
+
+As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
+Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blacklist), or a list of known 'good' SRTM measurements (also known as a whitelist).
+Each option has a drawback:
+
+- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed.
+- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
+In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
+
+### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
+
+Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
+DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
+This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
+
+
+
+
+Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
+
+### System Management Mode (SMM) protection
+
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
+Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
+SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if DRTM is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
+To defend against this, two techniques are used:
+
+1. Paging protection to prevent inappropriate access to code and data
+2. SMM hardware supervision and attestation
+
+Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering.
+This prevents access to any memory that has not been specifically assigned.
+
+A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to.
+
+SMM protection is built on top of the Secure Launch technology and requires it to function.
+In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with.
+
+## Validating platform integrity after Windows is running (run time)
+
+While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
+
+As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few.
+
+
+
+
+After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png
new file mode 100644
index 0000000000..dda2271807
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png
new file mode 100644
index 0000000000..ccdf5070d3
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png
new file mode 100644
index 0000000000..8a82cab356
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png
new file mode 100644
index 0000000000..99e8cb1384
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png
new file mode 100644
index 0000000000..99e8cb1384
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png b/windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png
new file mode 100644
index 0000000000..8707d0fba4
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png
new file mode 100644
index 0000000000..1761e2e539
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png
new file mode 100644
index 0000000000..fbd6a798b0
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png
new file mode 100644
index 0000000000..865af86b19
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
new file mode 100644
index 0000000000..6b0f8c4ebd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -0,0 +1,66 @@
+---
+title: System Guard Secure Launch and SMM protection (Windows 10)
+description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: justinha
+ms.date: 02/14/2019
+---
+
+# System Guard Secure Launch and SMM protection
+
+This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices.
+
+## How to enable System Guard Secure Launch
+
+You can enable System Guard Secure Launch by using any of these options:
+
+- [Mobile Device Management (MDM)](#mobile-device-management)
+- [Group Policy](#group-policy)
+- [Windows Security app](#windows-security-app)
+- [Registry](#registry)
+
+### Mobile Device Management
+
+System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically [DeviceGuard/ConfigureSystemGuardLaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch).
+
+### Group Policy
+
+1. Click **Start** > type and then click **Edit group policy**.
+2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
+
+
+
+### Windows Security app
+
+Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
+
+
+
+### Registry
+
+1. Open Registry editor.
+2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**.
+3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**.
+4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**.
+5. Double-click **Enabled**, change the value to **1**, and click **OK**.
+
+
+
+## How to verify System Guard Secure Launch is configured and running
+
+To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
+
+
+
+
+
+
+
+
+
+