diff --git a/devices/hololens/hololens2-setup.md b/devices/hololens/hololens2-setup.md index 319644824d..79189a7cf6 100644 --- a/devices/hololens/hololens2-setup.md +++ b/devices/hololens/hololens2-setup.md @@ -62,7 +62,7 @@ To turn on your HoloLens 2, press the Power button. The LED lights below the Po | To turn on | Single button press. | All five lights turn on, then change to indicate the battery level. After four seconds, a sound plays. | | To sleep | Single button press. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To wake from sleep | Single button press. | All five lights turn on, then change to indicate the battery level. A sound immediately plays. | -| To turn off | Press and for hold 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | +| To turn off | Press and hold for 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To force the Hololens to restart if it is unresponsive | Press and hold for 10s. | All five lights turn on, then fade off one at a time. After the lights turn off. | ## HoloLens behavior reference diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 7f3793ed3f..88b0653b00 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -49,7 +49,8 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 ```PowerShell New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` -[!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. +> [!IMPORTANT] +> ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index fe487f8337..61fc8352df 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -11,7 +11,7 @@ ms.author: dansimp ms.topic: article ms.localizationpriority: medium ms.audience: itpro -ms.date: 10/21/2019 +ms.date: 01/15/2020 ms.reviewer: manager: dansimp --- @@ -99,10 +99,7 @@ Because customizations are performed by MDT at the time of deployment, the goal For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). -When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). - - -In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process. +When you browse to the specific Microsoft Download Center page for your device, you will find a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. Firmware updates maintain the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. For more information, see [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). >[!NOTE] >Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices. @@ -234,7 +231,7 @@ You now have an empty deployment share that is ready for you to add the resource The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC). >[!NOTE] ->A 64-bit operating system is required for compatibility with Surface Studio, Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3. +>A 64-bit operating system is required for compatibility with Surface devices except Surface Pro X which cannot be managed with MDT. To import Windows 10 installation files, follow these steps: @@ -404,9 +401,9 @@ Perform the reference image deployment and capture using the following steps: * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**. * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**. - ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine") + ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine") - *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment* + *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment* * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image. diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 47c2ffed10..1761581ced 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -46,9 +46,14 @@ documentation](https://docs.microsoft.com/windows/desktop/sysinfo/registry). 1. Run regedit from a command prompt to open the Windows Registry Editor. - - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Surface\Surface Brightness Control\ - + + If you're running an older version of Surface Brightness control, run the following command instead: + + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + Brightness Control\ + | Registry Setting | Data| Description |-----------|------------|--------------- diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 4f6bf5db20..1b1a144c38 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -174,7 +174,7 @@ With all these options, which an organization chooses depends on the resources, | Windows Update | Yes (manual) | No | Delivery Optimization | None| | Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects | | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | -| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options | +| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](https://docs.microsoft.com/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows 10 Update Delivery](https://docs.microsoft.com/windows/deployment/update/waas-optimize-windows-10-updates) | Distribution points, multiple deployment options | >[!NOTE] >Due to [naming changes](#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 555eb005b1..2119a4bb72 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1703. +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -7,14 +7,14 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: dansimp -ms.author: dansimp +author: brianlic-msft +ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/19/2019 -ms.reviewer: +ms.date: 01/04/2020 +ms.reviewer: --- @@ -33,8 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - -- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) +- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -60,6 +59,7 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. - **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DecisionDevicePnp_RS2** The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. - **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. @@ -77,7 +77,6 @@ The following fields are available: - **SystemWim** The total number of objects of this type present on this device. - **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -92,7 +91,7 @@ The following fields are available: - **HasCitData** Indicates whether the file is present in CIT data. - **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. - **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. @@ -190,7 +189,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. +This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date. The following fields are available: @@ -221,7 +220,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. The following fields are available: @@ -252,7 +251,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date. The following fields are available: @@ -283,7 +282,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. +This event sends compatibility database information about the BIOS to help keep Windows up to date. The following fields are available: @@ -315,7 +314,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd -This event sends compatibility decision data about a file to help keep Windows up-to-date. +This event sends compatibility decision data about a file to help keep Windows up to date. The following fields are available: @@ -364,7 +363,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd -This event sends compatibility decision data about a PNP device to help keep Windows up to date. +This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date. The following fields are available: @@ -790,7 +789,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd @@ -856,7 +855,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date. The following fields are available: @@ -927,7 +926,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date. The following fields are available: @@ -960,7 +959,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date. The following fields are available: @@ -1159,7 +1158,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemWlanAdd -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date. The following fields are available: @@ -1196,32 +1195,32 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. +This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. The following fields are available: - **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run. - **AppraiserProcess** The name of the process that launched Appraiser. - **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. - **AuxFinal** Obsolete, always set to false. - **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. - **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. - **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. - **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. - **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. - **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **RunResult** The hresult of the Appraiser diagnostic data run. +- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **TelementrySent** Indicates whether diagnostic data was successfully sent. +- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability. - **Time** The client time of the event. - **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. - **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. @@ -1444,6 +1443,7 @@ The following fields are available: - **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. +- **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd - **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. @@ -1538,6 +1538,7 @@ The following fields are available: - **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. - **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . - **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **InternalPrimaryDisplayType** Represents the type of technology used in the monitor, such as Plasma, LED, LCOS, etc. - **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine - **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. - **VRAMDedicated** Retrieves the video RAM in MB. @@ -1720,7 +1721,7 @@ The following fields are available: - **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence - **op** Represents the ETW Op Code. - **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **sqmId** The Windows SQM ID. +- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier. - **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - **tickets** An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events. @@ -1778,6 +1779,47 @@ This event provides information about the results of installing optional Windows +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + + + +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + ## Content Delivery Manager events ### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent @@ -1864,7 +1906,7 @@ The following fields are available: ### TelClientSynthetic.ConnectivityHeartBeat_0 -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. The following fields are available: @@ -2597,6 +2639,45 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd Invalid variant - Provides data on the installed Office Add-ins @@ -2724,6 +2805,15 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **IndicatorValue** The indicator value. +- **Value** Describes an operating system indicator that may be relevant for the device upgrade. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove @@ -2814,6 +2904,20 @@ The following fields are available: - **UptimeDeltaMS** Duration in last state in milliseconds. +## Migration events + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +This event returns data about the count of the migration objects across various phases during feature update. + + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + + + ## OneDrive events ### Microsoft.OneDrive.Sync.Setup.APIOperation @@ -4387,7 +4491,7 @@ The following fields are available: - **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. - **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. - **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. - **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce @@ -4799,7 +4903,13 @@ The following fields are available: ### FacilitatorTelemetry.DCATDownload -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure. + + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. @@ -4811,7 +4921,7 @@ This event determines whether devices received additional or critical supplement ### Setup360Telemetry.Downlevel -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure. The following fields are available: @@ -5127,6 +5237,7 @@ The following fields are available: - **CategoryId** The Item Category ID. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** The result code of the last action performed before this operation. +- **IntentPFNs** Intent Product Family Name - **IsBundle** Is this a bundle? - **IsInteractive** Was this requested by a user? - **IsMandatory** Was this a mandatory update? @@ -5137,6 +5248,7 @@ The following fields are available: - **PFN** The product family name of the product being installed. - **ProductId** The identity of the package or packages being installed. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UpdateId** Update ID (if this is an update) - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. - **WUContentId** The Windows Update content ID. @@ -5164,6 +5276,7 @@ The following fields are available: - **BundleId** The identity of the Windows Insider build that is associated with this product. - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. +- **IntentPFNs** Intent Product Family Name - **IsBundle** Is this a bundle? - **IsInteractive** Was this requested by a user? - **IsMandatory** Is this a mandatory update? @@ -5203,16 +5316,20 @@ The following fields are available: - **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. - **AttemptNumber** The total number of attempts to acquire this product. +- **BundleId** The bundle ID - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** HResult code to show the result of the operation (success/failure). +- **IntentPFNs** Intent Product Family Name - **IsBundle** Is this a bundle? - **IsInteractive** Did the user initiate the installation? - **IsMandatory** Is this a mandatory update? - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this happening after a device restore? - **IsUpdate** Is this an update? +- **IsWin32** Flag indicating if this is a Win32app. - **ParentBundledId** The product's parent bundle ID. +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). - **PFN** Product Family Name of the product being installed. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The number of attempts by the system to acquire this product. @@ -5235,16 +5352,19 @@ The following fields are available: - **DownloadSize** The total size of the download. - **ExtendedHResult** Any extended HResult error codes. - **HResult** The result code of the last action performed. +- **IntentPFNs** Intent Product Family Name - **IsBundle** Is this a bundle? - **IsInteractive** Is this initiated by the user? - **IsMandatory** Is this a mandatory installation? - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this a restore of a previously acquired product? - **IsUpdate** Is this an update? +- **IsWin32** Flag indicating if this is a Win32 app (unused). - **ParentBundleId** The parent bundle ID (if it's part of a bundle). - **PFN** The Product Family Name of the app being download. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The number of attempts by the system to download. +- **UpdateId** Update ID (if this is an update) - **UserAttemptNumber** The number of attempts by the user to download. - **WUContentId** The Windows Update content ID. @@ -5280,16 +5400,19 @@ The following fields are available: - **ClientAppId** The identity of the app that initiated this operation. - **ExtendedHResult** The extended HResult error code. - **HResult** The result code of the last action performed. +- **IntentPFNs** Intent Product Family Name - **IsBundle** Is this a bundle? - **IsInteractive** Is this an interactive installation? - **IsMandatory** Is this a mandatory installation? - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this automatically restoring a previously acquired product? - **IsUpdate** Is this an update? +- **IsWin32** Flag indicating if this a Win32 app (unused). - **ParentBundleId** The product ID of the parent (if this product is part of a bundle). - **PFN** Product Family Name of the product being installed. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The total number of system attempts. +- **UpdateId** Update ID (if this is an update) - **UserAttemptNumber** The total number of user attempts. - **WUContentId** The Windows Update content ID. @@ -5319,16 +5442,19 @@ The following fields are available: - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** The result code of the last action performed. +- **IntentPFNs** The licensing identity of this package. - **IsBundle** Is this a bundle? - **IsInteractive** Is this user requested? - **IsMandatory** Is this a mandatory update? - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this restoring previously acquired content? - **IsUpdate** Is this an update? +- **IsWin32** Flag indicating if this a Win32 app (unused). - **ParentBundleId** The product ID of the parent (if this product is part of a bundle). - **PFN** The name of the package or packages requested for install. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The total number of system attempts. +- **UpdateId** Update ID (if this is an update) - **UserAttemptNumber** The total number of user attempts. - **WUContentId** The Windows Update content ID. @@ -5345,6 +5471,7 @@ The following fields are available: - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** The result code of the last action performed. +- **IntentPFNs** The licensing identity of this package. - **IsBundle** Is this a bundle? - **IsInteractive** Is this user requested? - **IsMandatory** Is this a mandatory update? @@ -5414,6 +5541,7 @@ The following fields are available: - **BundleId** The identity of the build associated with this product. - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. +- **IntentPFNs** The licensing identity of this package. - **IsBundle** Is this a bundle? - **IsInteractive** Is this user requested? - **IsMandatory** Is this a mandatory update? @@ -5443,6 +5571,7 @@ The following fields are available: - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** The result code of the last action performed before this operation. +- **IntentPFNs** Intent Product Family Name - **IsBundle** Is this a bundle? - **IsInteractive** Is this user requested? - **IsMandatory** Is this a mandatory update? @@ -6260,6 +6389,12 @@ This event sends data specific to the FixupEditionId mitigation used for OS Upda ## Windows Update Reserve Manager events +### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + + + ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager This event returns data about the Update Reserve Manager, including whether it’s been initialized. @@ -6272,6 +6407,12 @@ This event is sent when the Update Reserve Manager removes a pending hard reserv +### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment + +This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. + + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 1cecae9cf2..8c6ee5c804 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1709. +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -7,14 +7,14 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: dansimp -ms.author: dansimp +author: brianlic-msft +ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/19/2019 -ms.reviewer: +ms.date: 01/04/2020 +ms.reviewer: --- @@ -33,8 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - -- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) +- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) @@ -102,7 +101,7 @@ The following fields are available: - **HasCitData** Indicates whether the file is present in CIT data. - **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. - **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. @@ -201,7 +200,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. +This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -234,7 +233,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -267,7 +266,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -300,7 +299,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. +This event sends compatibility database information about the BIOS to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -333,7 +332,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd -This event sends compatibility decision data about a file to help keep Windows up-to-date. +This event sends compatibility decision data about a file to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -347,7 +346,7 @@ The following fields are available: - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? - **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsDismissAction** Will the file cause an action that can be dismissed? - **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. - **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? - **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. @@ -384,7 +383,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd -This event sends compatibility decision data about a PNP device to help keep Windows up to date. +This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -828,7 +827,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd @@ -895,7 +894,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -970,7 +969,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1005,7 +1004,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1216,7 +1215,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemWlanAdd -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1255,7 +1254,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. +This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. The following fields are available: @@ -1266,21 +1265,21 @@ The following fields are available: - **AuxFinal** Obsolete, always set to false. - **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. - **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. - **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. - **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. - **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. - **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **RunResult** The hresult of the Appraiser diagnostic data run. +- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **TelementrySent** Indicates whether diagnostic data was successfully sent. +- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability. - **Time** The client time of the event. - **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. - **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. @@ -1819,7 +1818,7 @@ The following fields are available: - **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence - **op** Represents the ETW Op Code. - **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. -- **sqmId** The Windows SQM ID. +- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier. - **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. - **tickets** An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events. @@ -1914,6 +1913,12 @@ The following fields are available: - **pendingDecision** Indicates the cause of reboot, if applicable. +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + + + ### CbsServicingProvider.CbsSelectableUpdateChangeV2 This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. @@ -1965,7 +1970,7 @@ Fired by UTC at startup to signal what data we are allowed to collect. ### TelClientSynthetic.ConnectivityHeartBeat_0 -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. @@ -2476,7 +2481,7 @@ The following fields are available: ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. +This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2650,6 +2655,45 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd Invalid variant - Provides data on the installed Office Add-ins @@ -2837,7 +2881,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **BrowserFlags** Browser flags for Office-related products +- **BrowserFlags** Browser flags for Office-related products. - **ExchangeProviderFlags** Office Exchange provider policies - **InventoryVersion** The version of the inventory binary generating the events. - **SharedComputerLicensing** Office Shared Computer Licensing policies @@ -3039,6 +3083,26 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +## Migration events + +### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +This event returns data about the count of the migration objects across various phases during feature update. + + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + + + ## OneDrive events ### Microsoft.OneDrive.Sync.Setup.APIOperation @@ -4411,7 +4475,7 @@ The following fields are available: - **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. - **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. - **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. - **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce @@ -5032,7 +5096,13 @@ The following fields are available: ### FacilitatorTelemetry.DCATDownload -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure. + + + +### FacilitatorTelemetry.DUDownload + +This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. @@ -5044,7 +5114,7 @@ This event determines whether devices received additional or critical supplement ### Setup360Telemetry.Downlevel -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure. The following fields are available: @@ -5274,7 +5344,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -5293,6 +5363,18 @@ The following fields are available: - **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. +### Microsoft.Windows.WaaSMedic.RemediationFailed + +This event is sent when the WaaS Medic update stack remediation tool fails to apply a described resolution to a problem that is blocking Windows Update from operating correctly on a target device. + +The following fields are available: + +- **diagnostic** Parameter where the resolution failed. +- **hResult** Error code that resulted from attempting the resolution. +- **isRemediated** Indicates whether the condition was remediated. +- **pluginName** Name of the attempted resolution. + + ### Microsoft.Windows.WaaSMedic.Summary This event provides the results of the WaaSMedic diagnostic run @@ -5459,6 +5541,7 @@ The following fields are available: - **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. - **AttemptNumber** The total number of attempts to acquire this product. +- **BundleId** The bundle ID - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** HResult code to show the result of the operation (success/failure). @@ -5468,6 +5551,7 @@ The following fields are available: - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this happening after a device restore? - **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). - **PFN** Product Family Name of the product being installed. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The number of attempts by the system to acquire this product. @@ -6573,6 +6657,7 @@ The following fields are available: This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. + ### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager This event returns data about the Update Reserve Manager, including whether it’s been initialized. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 94306ce392..64a869e06a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1803. +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -7,14 +7,14 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: dansimp -ms.author: dansimp +author: brianlic-msft +ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/19/2019 -ms.reviewer: +ms.date: 01/04/2020 +ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) +- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) @@ -135,7 +135,7 @@ The following fields are available: - **HasCitData** Indicates whether the file is present in CIT data. - **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. - **IsAv** Is the file an antivirus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sent. +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. @@ -234,7 +234,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. +This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -267,7 +267,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -300,7 +300,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -333,7 +333,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. +This event sends compatibility database information about the BIOS to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -366,7 +366,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd -This event sends compatibility decision data about a file to help keep Windows up-to-date. +This event sends compatibility decision data about a file to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -381,7 +381,7 @@ The following fields are available: - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? - **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsDismissAction** Will the file cause an action that can be dismissed? - **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. - **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? - **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. @@ -418,7 +418,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd -This event sends compatibility decision data about a PNP device to help keep Windows up to date. +This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -865,7 +865,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd @@ -931,7 +931,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1006,7 +1006,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1041,7 +1041,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1258,7 +1258,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemWlanAdd -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1297,18 +1297,18 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. +This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. The following fields are available: - **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run. - **AppraiserProcess** The name of the process that launched Appraiser. - **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. - **AuxFinal** Obsolete, always set to false. - **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. - **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. - **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. - **InboxDataVersion** The original version of the data files before retrieving any newer version. - **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. @@ -1317,14 +1317,14 @@ The following fields are available: - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. - **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. - **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **RunResult** The hresult of the Appraiser diagnostic data run. +- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **TelementrySent** Indicates whether diagnostic data was successfully sent. +- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability. - **Time** The client time of the event. - **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. - **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. @@ -1391,6 +1391,18 @@ The following fields are available: - **IEVersion** The version of Internet Explorer that is running on the device. +### Census.Azure + +This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. + +The following fields are available: + +- **CloudCoreBuildEx** The Azure CloudCore build number. +- **CloudCoreSupportBuildEx** The Azure CloudCore support build number. +- **NodeID** The node identifier on the device that indicates whether the device is part of the Azure fleet. +- **PartA_PrivTags** The privacy tags associated with the event. + + ### Census.Battery This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. @@ -2105,6 +2117,43 @@ The following fields are available: - **transactionCanceled** Indicates whether the uninstall was cancelled. +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **PartA_PrivTags** The privacy tags associated with the event. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + ### CbsServicingProvider.CbsSelectableUpdateChangeV2 This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. @@ -2250,7 +2299,7 @@ The following fields are available: ### TelClientSynthetic.ConnectivityHeartbeat_0 -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. The following fields are available: @@ -3394,7 +3443,7 @@ The following fields are available: ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. +This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -3568,6 +3617,50 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **ProgramId** The ID of the associated program. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd Provides data on the installed Office Add-ins @@ -3760,10 +3853,10 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange +- **BrowserFlags** Browser flags for Office-related products. +- **ExchangeProviderFlags** Provider policies for Office Exchange. - **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies +- **SharedComputerLicensing** Office shared computer licensing policies. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync @@ -3994,6 +4087,215 @@ The following fields are available: - **UptimeDeltaMS** Total time (in milliseconds) added to Uptime since the last event +## Microsoft Edge events + +### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config + +This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config + +This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config + +This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping + +This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. + +The following fields are available: + +- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''. +- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update. +- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown). +- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev). +- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''. +- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. +- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. Default: '-2' (Unknown). +- **appExperiments** A semicolon-delimited key/value list of experiment identifiers and treatment groups. This field is unused and always empty in Edge Update. Default: ''. +- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. +- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. +- **appNextVersion** The version of the app that the update attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'. +- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. +- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'. +- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventEventResult** An enumeration indicating the result of the event. Common values are '0' (Error) and '1' (Success). Default: '0' (Error). +- **appPingEventEventType** An enumeration indicating the type of the event and the event stage. Default: '0' (Unknown). +- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. +- **appPingEventSequenceId** An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. +- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a tag. +- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. +- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' MUST match '1.2.3.4' but MUST NOT match '1.2.34'). Default: ''. +- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request is sent over SSL or another secure protocol. This field is unused by Edge Update and always empty. Default: ''. +- **appVersion** The version of the product install. Default: '0.0.0.0'. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **eventType** A string representation of appPingEventEventType indicating the type of the event. +- **hwHasAvx** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'. +- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'. +- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''. +- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''. +- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''. +- **osVersion** The primary version of the operating system. '' if unknown. Default: ''. +- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'. +- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''. +- **requestDomainJoined** '1' if the device is part of a managed enterprise domain. Otherwise '0'. +- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''. +- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'. +- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''. +- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'. +- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients MUST always transmit this attribute. Default: undefined. +- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Default: ''. +- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''. +- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique sessionid. Default: ''. +- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''. +- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt should have (with high probability) a unique request id. Default: ''. + + +### Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +## Migration events + +### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFSys + +This event returns data about the count of the migration objects across various phases during feature update. + + + +### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr + +This event returns data to track the count of the migration objects across various phases during feature update. + + + ## Miracast events ### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd @@ -4937,6 +5239,12 @@ The following fields are available: ## SIH events +### SIHEngineTelemetry.ExecuteAction + +This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. + + + ### SIHEngineTelemetry.SLSActionData This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated. @@ -5287,28 +5595,111 @@ The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. - **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. - **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** The secondary status code of the event. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. - **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. - **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce -- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id) +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). - **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** Identifies the revision of this specific piece of content -- **RevisionNumber** Identifies the revision number of this specific piece of content +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. - **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** Hash algorithm for the metadata signature +- **SignatureAlgorithm** The hash algorithm for the metadata signature. - **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast -- **StatusCode** The status code of the event. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. - **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** Identifier associated with the specific piece of content +- **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Update Assistant events + +### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId + +The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies. + +The following fields are available: + +- **ApplicabilityBlockedReason** Blocked due to an applicability issue. +- **BlockWuUpgrades** The upgrade assistant is currently blocked. +- **clientID** An identification of the current release of Update Assistant. +- **CloverTrail** This device is Clovertrail. +- **DeviceIsMdmManaged** This device is MDM managed. +- **IsNetworkAvailable** If the device network is not available. +- **IsNetworkMetered** If network is metered. +- **IsSccmManaged** This device is SCCM managed. +- **NewlyInstalledOs** OS is newly installed quiet period. +- **PausedByPolicy** Updates are paused by policy. +- **RecoveredFromRS3** Previously recovered from RS3. +- **RS1UninstallActive** Blocked due to an active RS1 uninstall. +- **RS3RollBacks** Exceeded number of allowable RS3 rollbacks. +- **triggerTaskSource** Describe which task launches this instance. +- **WsusManaged** This device is WSUS managed. +- **ZeroExhaust** This device is zero exhaust. + + +### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId + +The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version. + +The following fields are available: + +- **clientID** An identification of the current release of Update Assistant. +- **denyReason** All the reasons why the Update Assistant was prevented from launching. Bitmask with values from UpdateAssistant.cpp eUpgradeModeReason. +- **triggerTaskSource** Describe which task launches this instance. + + +### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId + +Event to mark that Update Assistant Orchestrator failed to launch Update Assistant. + +The following fields are available: + +- **calendarRun** Standard time-based triggered task. +- **clientID** An identification of the current release of Update Assistant. +- **hResult** Error code of the Update Assistant Orchestrator failure. +- **triggerTaskSource** Describe which task launches this instance. + + +### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId + +Event indicating One Settings was not queried by update assistant. + +The following fields are available: + +- **clientID** An identification of the current release of Update Assistant. +- **hResult** Error code of One Settings query failure. + + +### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId + +This event sends basic information on whether the device should be updated to the latest Windows 10 version. + +The following fields are available: + +- **autoStartRunCount** The auto start run count of Update Assistant. +- **clientID** The ID of the current release of Update Assistant. +- **launchMode** Indicates the type of launch performed. +- **launchTypeReason** A bitmask of all the reasons for type of launch. +- **triggerTaskSource** Indicates which task launches this instance. + + +### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId + +The event sends basic info on whether the Windows 10 update notification has previously launched. + +The following fields are available: + +- **clientID** ID of the current release of Update Assistant. +- **restoreReason** All the reasons for the restore. +- **triggerTaskSource** Indicates which task launches this instance. + + ## Update events ### Update360Telemetry.Revert @@ -5722,7 +6113,7 @@ The following fields are available: ### FacilitatorTelemetry.DCATDownload -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure. The following fields are available: @@ -5760,7 +6151,7 @@ The following fields are available: ### Setup360Telemetry.Downlevel -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure. The following fields are available: @@ -6041,7 +6432,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -6219,6 +6610,7 @@ The following fields are available: - **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. - **AttemptNumber** The total number of attempts to acquire this product. +- **BundleId** The bundle ID - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** HResult code to show the result of the operation (success/failure). @@ -6228,6 +6620,7 @@ The following fields are available: - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this happening after a device restore? - **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). - **PFN** Product Family Name of the product being installed. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The number of attempts by the system to acquire this product. @@ -7169,6 +7562,19 @@ The following fields are available: - **wuDeviceid** The unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.DetectionResult + +This event runs when an update is detected. This helps ensure Windows is kept up to date. + +The following fields are available: + +- **applicableUpdateIdList** A list of applicable update IDs. +- **applicableUpdateList** A list of applicable update names. +- **seekerUpdateIdList** A list of optional update IDs. +- **seekerUpdateList** A list of optional update names. +- **wuDeviceid** The Windows Update device identifier. + + ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded This event indicates the reboot was postponed due to needing a display. @@ -7481,6 +7887,32 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable + +This event defines when an optional update is available for the device to help keep Windows up to date. + +The following fields are available: + +- **flightID** The unique identifier of the Windows Insider build on this device. +- **isFeatureUpdate** Indicates whether the update is a Feature Update. +- **revisionNumber** The revision number of the update. +- **updateId** The GUID (Globally Unique Identifier) of the update. +- **wuDeviceid** The Windows Update device identifier. + + +### Microsoft.Windows.Update.Orchestrator.SeekUpdate + +This event occurs when user initiates "seeker" scan. This helps keep Windows up to date. + +The following fields are available: + +- **flightID** The ID of the Windows Insider builds on the device. +- **isFeatureUpdate** Indicates that the target of the Seek is a feature update. +- **revisionNumber** The revision number of the update. +- **updateId** The identifier of the update. +- **wuDeviceid** The Windows Update device identifier. + + ### Microsoft.Windows.Update.Orchestrator.SystemNeeded This event sends data about why a device is unable to reboot, to help keep Windows up to date. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 65bf5e307f..bbf2e70bfb 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,5 +1,5 @@ --- -description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. Specific to Windows 10, version 1809. +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 @@ -7,14 +7,14 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: dansimp -ms.author: dansimp +author: brianlic-msft +ms.author: brianlic manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 04/19/2019 -ms.reviewer: +ms.date: 01/04/2020 +ms.reviewer: --- @@ -33,7 +33,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 1903 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) + +- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) @@ -81,7 +82,7 @@ Automatically closed activity for start/stop operations that aren't explicitly c ### Microsoft.Windows.Security.AppLockerCSP.AddParams -Parameters passed to Add function of the AppLockerCSP Node. +This event indicates the parameters passed to the Add function of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -91,13 +92,13 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.AddStart -Start of "Add" Operation for the AppLockerCSP Node. +This event indicates the start of an Add operation for the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. ### Microsoft.Windows.Security.AppLockerCSP.AddStop -End of "Add" Operation for AppLockerCSP Node. +This event indicates the end of an Add operation for the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -106,7 +107,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback -Result of the 'Rollback' operation in AppLockerCSP. +This event provides the result of the Rollback operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -116,7 +117,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.ClearParams -Parameters passed to the "Clear" operation for AppLockerCSP. +This event provides the parameters passed to the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -125,13 +126,13 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.ClearStart -Start of the "Clear" operation for the AppLockerCSP Node. +This event indicates the start of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. ### Microsoft.Windows.Security.AppLockerCSP.ClearStop -End of the "Clear" operation for the AppLockerCSP node. +This event indicates the end of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -140,7 +141,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart -Start of the "ConfigManagerNotification" operation for AppLockerCSP. +This event indicates the start of the Configuration Manager Notification operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -149,7 +150,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop -End of the "ConfigManagerNotification" operation for AppLockerCSP. +This event indicates the end of the Configuration Manager Notification operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -158,7 +159,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams -Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. +This event provides the parameters that were passed to the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -169,13 +170,13 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart -Start of the "CreateNodeInstance" operation for the AppLockerCSP node. +This event indicates the start of the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. ### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop -End of the "CreateNodeInstance" operation for the AppLockerCSP node +This event indicates the end of the Create Node Instance operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -184,7 +185,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams -Parameters passed to the DeleteChild function of the AppLockerCSP node. +This event provides the parameters passed to the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -194,13 +195,13 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart -Start of the "DeleteChild" operation for the AppLockerCSP node. +This event indicates the start of the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. ### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop -End of the "DeleteChild" operation for the AppLockerCSP node. +This event indicates the end of the Delete Child operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -209,7 +210,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies -Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. +This event provides the logged Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker if the plug-in GUID is null or the Configuration Service Provider (CSP) doesn't believe the old policy is present. The following fields are available: @@ -218,7 +219,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams -Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. +This event provides the parameters passed to the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -227,13 +228,13 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart -Start of the "GetChildNodeNames" operation for the AppLockerCSP node. +This event indicates the start of the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. ### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop -End of the "GetChildNodeNames" operation for the AppLockerCSP node. +This event indicates the end of the Get Child Node Names operation of the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -244,7 +245,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.GetLatestId -The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). +This event provides the latest time-stamped unique identifier in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -254,7 +255,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.HResultException -HRESULT thrown by any arbitrary function in AppLockerCSP. +This event provides the result code (HRESULT) generated by any arbitrary function in the AppLocker Configuration Service Provider (CSP). The following fields are available: @@ -266,7 +267,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.SetValueParams -Parameters passed to the SetValue function of the AppLockerCSP node. +This event provides the parameters that were passed to the SetValue operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. The following fields are available: @@ -276,7 +277,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.SetValueStart -Start of the "SetValue" operation for the AppLockerCSP node. +This event indicates the start of the SetValue operation in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. @@ -291,7 +292,7 @@ The following fields are available: ### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies -EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. +This event provides information for fixing a policy in the AppLocker Configuration Service Provider (CSP) to help keep Windows secure. It includes Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker that needs to be fixed. The following fields are available: @@ -309,6 +310,8 @@ The following fields are available: - **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device. @@ -322,6 +325,8 @@ The following fields are available: - **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -335,6 +340,8 @@ The following fields are available: - **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. - **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -348,6 +355,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device. @@ -361,6 +370,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device. @@ -374,6 +385,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -387,6 +400,8 @@ The following fields are available: - **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device. @@ -400,6 +415,8 @@ The following fields are available: - **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device. @@ -413,6 +430,8 @@ The following fields are available: - **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device. @@ -426,6 +445,8 @@ The following fields are available: - **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device. @@ -439,6 +460,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device. @@ -452,6 +475,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device. @@ -465,6 +490,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device. @@ -478,6 +505,8 @@ The following fields are available: - **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device. @@ -491,6 +520,8 @@ The following fields are available: - **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device. @@ -502,6 +533,7 @@ The following fields are available: - **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. - **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryDeviceContainer** A count of device container objects in cache. @@ -529,6 +561,8 @@ The following fields are available: - **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. - **Wmdrm_19H1** The count of the number of this particular object type present on this device. - **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_20H1** The count of the number of this particular object type present on this device. +- **Wmdrm_20H1Setup** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers. @@ -555,7 +589,7 @@ The following fields are available: - **HasCitData** Indicates whether the file is present in CIT data. - **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. - **IsAv** Is the file an anti-virus reporting EXE? -- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. - **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. @@ -659,13 +693,14 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd -This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. +This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove @@ -692,7 +727,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd -This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -725,7 +760,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -758,7 +793,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd -This event sends compatibility database information about the BIOS to help keep Windows up-to-date. +This event sends compatibility database information about the BIOS to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -791,7 +826,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd -This event sends compatibility decision data about a file to help keep Windows up-to-date. +This event sends compatibility decision data about a file to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -806,7 +841,7 @@ The following fields are available: - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? - **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? -- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsDismissAction** Will the file cause an action that can be dismissed? - **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. - **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? - **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. @@ -843,7 +878,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd -This event sends compatibility decision data about a PNP device to help keep Windows up to date. +This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -941,10 +976,12 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. - **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? - **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsDismissAction** Will the file cause an action that can be dismissed? - **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? - **SdbBlockUpgrade** Is a matching info block blocking upgrade? - **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? - **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove @@ -1295,7 +1332,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events. ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd @@ -1363,7 +1400,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd -This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1438,7 +1475,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd -This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1473,7 +1510,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd -This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1684,7 +1721,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.SystemWlanAdd -This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1723,18 +1760,18 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth -This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. +This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. The following fields are available: - **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. -- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run. - **AppraiserProcess** The name of the process that launched Appraiser. - **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. - **AuxFinal** Obsolete, always set to false. - **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. - **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. -- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. - **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. - **InboxDataVersion** The original version of the data files before retrieving any newer version. - **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. @@ -1743,18 +1780,19 @@ The following fields are available: - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. - **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. -- **RunDate** The date that the telemetry run was stated, expressed as a filetime. -- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. - **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. -- **RunResult** The hresult of the Appraiser telemetry run. +- **RunResult** The hresult of the Appraiser diagnostic data run. - **ScheduledUploadDay** The day scheduled for the upload. -- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **StoreHandleIsNotNull** Obsolete, always set to false -- **TelementrySent** Indicates if telemetry was successfully sent. -- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **TelementrySent** Indicates whether diagnostic data was successfully sent. +- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability. - **Time** The client time of the event. - **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. - **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. +- **WhyRunSkipped** Indicates the reason or reasons that an appraiser run was skipped. ### Microsoft.Windows.Appraiser.General.WmdrmAdd @@ -1798,6 +1836,47 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +## Audio endpoint events + +### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo + +This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. + +The following fields are available: + +- **BusEnumeratorName** The name of the bus enumerator (for example, HDAUDIO or USB). +- **ContainerId** An identifier that uniquely groups the functional devices associated with a single-function or multifunction device. +- **DeviceInstanceId** The unique identifier for this instance of the device. +- **EndpointDevnodeId** The IMMDevice identifier of the associated devnode. +- **EndpointFormFactor** The enumeration value for the form factor of the endpoint device (for example speaker, microphone, remote network device). +- **endpointID** The unique identifier for the audio endpoint. +- **endpointInstanceId** The unique identifier for the software audio endpoint. Used for joining to other audio event. +- **Flow** Indicates whether the endpoint is capture (1) or render (0). +- **HWID** The hardware identifier for the endpoint. +- **IsBluetooth** Indicates whether the device is a Bluetooth device. +- **IsSideband** Indicates whether the device is a sideband device. +- **IsUSB** Indicates whether the device is a USB device. +- **JackSubType** A unique ID representing the KS node type of the endpoint. +- **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry). +- **persistentId** A unique ID for this endpoint which is retained across migrations. + +### MicArrayGeometry + +This event provides information about the layout of the individual microphone elements in the microphone array. + +The following fields are available: + +- **MicCoords** The location and orientation of the microphone element. +- **usFrequencyBandHi** The high end of the frequency range for the microphone. +- **usFrequencyBandLo** The low end of the frequency range for the microphone. +- **usMicArrayType** The type of the microphone array. +- **usNumberOfMicrophones** The number of microphones in the array. +- **usVersion** The version of the microphone array specification. +- **wHorizontalAngleBegin** The horizontal angle of the start of the working volume (reported as radians times 10,000). +- **wHorizontalAngleEnd** The horizontal angle of the end of the working volume (reported as radians times 10,000). +- **wVerticalAngleBegin** The vertical angle of the start of the working volume (reported as radians times 10,000). +- **wVerticalAngleEnd** The vertical angle of the end of the working volume (reported as radians times 10,000). + ## Census events ### Census.App @@ -2247,6 +2326,7 @@ The following fields are available: - **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. - **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. - **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. +- **VMId** A string that identifies a virtual machine. ### Census.WU @@ -2734,7 +2814,7 @@ The following fields are available: ### TelClientSynthetic.ConnectivityHeartBeat_0 -This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. The following fields are available: @@ -3175,6 +3255,20 @@ The following fields are available: - **CV** Correlation vector. +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **CV_new** New correlation vector +- **hResult** HRESULT of the failure + + ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. @@ -3395,6 +3489,144 @@ The following fields are available: - **CV** Correlation vector. +## DISM events + +### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU + +The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot. + +The following fields are available: + +- **dismInstalledLCUPackageName** The name of the latest installed package. + + +### Microsoft.Windows.StartRepairCore.DISMPendingInstall + +The DISM Pending Install event sends information to report pending package installation found. + +The following fields are available: + +- **dismPendingInstallPackageName** The name of the pending package. + + +### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd + +The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in. + +The following fields are available: + +- **errorCode** The result code returned by the event. +- **flightIds** The Flight IDs (identifier of the beta release) of found driver updates. +- **foundDriverUpdateCount** The number of found driver updates. +- **srtRootCauseDiag** The scenario name for a diagnosis event. + + +### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart + +The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in. + +The following fields are available: + +- **srtRootCauseDiag** The scenario name for a diagnosis event. + + +## Driver installation events + +### Microsoft.Windows.DriverInstall.DeviceInstall + +This critical event sends information about the driver installation that took place. + +The following fields are available: + +- **ClassGuid** The unique ID for the device class. +- **ClassLowerFilters** The list of lower filter class drivers. +- **ClassUpperFilters** The list of upper filter class drivers. +- **CoInstallers** The list of coinstallers. +- **ConfigFlags** The device configuration flags. +- **DeviceConfigured** Indicates whether this device was configured through the kernel configuration. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DeviceStack** The device stack of the driver being installed. +- **DriverDate** The date of the driver. +- **DriverDescription** A description of the driver function. +- **DriverInfName** Name of the INF file (the setup information file) for the driver. +- **DriverInfSectionName** Name of the DDInstall section within the driver INF file. +- **DriverPackageId** The ID of the driver package that is staged to the driver store. +- **DriverProvider** The driver manufacturer or provider. +- **DriverUpdated** Indicates whether the driver is replacing an old driver. +- **DriverVersion** The version of the driver file. +- **EndTime** The time the installation completed. +- **Error** Provides the WIN32 error code for the installation. +- **ExtensionDrivers** List of extension drivers that complement this installation. +- **FinishInstallAction** Indicates whether the co-installer invoked the finish-install action. +- **FinishInstallUI** Indicates whether the installation process shows the user interface. +- **FirmwareDate** The firmware date that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareRevision** The firmware revision that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareVersion** The firmware version that will be stored in the EFI System Resource Table (ESRT). +- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. +- **FlightIds** A list of the different Windows Insider builds on the device. +- **GenericDriver** Indicates whether the driver is a generic driver. +- **Inbox** Indicates whether the driver package is included with Windows. +- **InstallDate** The date the driver was installed. +- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. +- **LegacyInstallReasonError** The error code for the legacy installation. +- **LowerFilters** The list of lower filter drivers. +- **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance. +- **NeedReboot** Indicates whether the driver requires a reboot. +- **OriginalDriverInfName** The original name of the INF file before it was renamed. +- **ParentDeviceInstanceId** The device instance ID of the parent of the device. +- **PendedUntilReboot** Indicates whether the installation is pending until the device is rebooted. +- **Problem** Error code returned by the device after installation. +- **ProblemStatus** The status of the device after the driver installation. +- **RebootRequiredReason** DWORD (Double Word—32-bit unsigned integer) containing the reason why the device required a reboot during install. +- **SecondaryDevice** Indicates whether the device is a secondary device. +- **ServiceName** The service name of the driver. +- **SetupMode** Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was completed. +- **StartTime** The time when the installation started. +- **SubmissionId** The driver submission identifier assigned by the Windows Hardware Development Center. +- **UpperFilters** The list of upper filter drivers. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd + +This event sends data about the driver installation once it is completed. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DriverUpdated** Indicates whether the driver was updated. +- **Error** The Win32 error code of the installation. +- **FlightId** The ID of the Windows Insider build the device received. +- **InstallDate** The date the driver was installed. +- **InstallFlags** The driver installation flags. +- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **RebootRequired** Indicates whether a reboot is required after the installation. +- **RollbackPossible** Indicates whether this driver can be rolled back. +- **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update. +- **WuUntargetedHardwareId** Indicates that the driver was installed because Windows Update performed a generic driver update for all devices of that hardware class. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart + +This event sends data about the driver that the new driver installation is replacing. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **FirstInstallDate** The first time a driver was installed on this device. +- **LastDriverDate** Date of the driver that is being replaced. +- **LastDriverInbox** Indicates whether the previous driver was included with Windows. +- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. +- **LastDriverVersion** The version of the driver that is being replaced. +- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). +- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). +- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT). +- **LastInstallDate** The date a driver was last installed on this device. +- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous problem code that was set on the device. +- **LastSubmissionId** The driver submission identifier of the driver that is being replaced. + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -3408,12 +3640,15 @@ The following fields are available: - **bootId** The system boot ID. - **BrightnessVersionViaDDI** The version of the Display Brightness Interface. - **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DDIInterfaceVersion** The device driver interface version. - **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). - **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). - **DisplayAdapterLuid** The display adapter LUID. - **DriverDate** The date of the display driver. - **DriverRank** The rank of the display driver. - **DriverVersion** The display driver version. +- **DriverWorkarounds** Bitfield data for specific driver workarounds enabled for this device. +- **DriverWorkarounds.Length** The length of the DriverWorkarounds bitfield. - **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. - **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. - **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. @@ -3422,8 +3657,11 @@ The following fields are available: - **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. - **GPURevisionID** The GPU revision ID. - **GPUVendorID** The GPU vendor ID. +- **InterfaceFuncPointersProvided1** The number of device driver interface function pointers provided. +- **InterfaceFuncPointersProvided2** The number of device driver interface function pointers provided. - **InterfaceId** The GPU interface ID. - **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHwSchEnabled** Indicates whether Hardware Scheduling is enabled. - **IsHwSchSupported** Indicates whether the adapter supports hardware scheduling. - **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? - **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? @@ -3887,7 +4125,7 @@ The following fields are available: ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd -This event represents the basic metadata about a plug and play (PNP) device and its associated driver. +This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date. This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -3914,7 +4152,7 @@ The following fields are available: - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -4089,39 +4327,12 @@ The following fields are available: This event sends details collected for a specific application on the source device. -The following fields are available: - -- **AhaVersion** The binary version of the App Health Analyzer tool. -- **ApplicationErrors** The count of application errors from the event log. -- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). -- **device_level** Various JRE/JAVA versions installed on a particular device. -- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. -- **Jar** Flag to determine if an app has a Java JAR file dependency. -- **Jre** Flag to determine if an app has JRE framework dependency. -- **Jre_version** JRE versions an app has declared framework dependency for. -- **Name** Name of the application. -- **NonDPIAware** Flag to determine if an app is non-DPI aware. -- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. -- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. -- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. -- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. -- **VB6** Flag to determine if an app is based on VB6 framework. -- **VB6v2** Additional flag to determine if an app is based on VB6 framework. -- **Version** Version of the application. -- **VersionCheck** Flag to determine if an app has a static dependency on OS version. -- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. ### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync This event indicates the beginning of a series of AppHealthStaticAdd events. -The following fields are available: - -- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. -- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. -- **Enhanced** Indicates the presence of the 'enhanced' command line argument. -- **StartTime** UTC date and time at which this event was sent. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd @@ -4316,10 +4527,10 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **BrowserFlags** Browser flags for Office-related products -- **ExchangeProviderFlags** Provider policies for Office Exchange +- **BrowserFlags** Browser flags for Office-related products. +- **ExchangeProviderFlags** Provider policies for Office Exchange. - **InventoryVersion** The version of the inventory binary generating the events. -- **SharedComputerLicensing** Office shared computer licensing policies +- **SharedComputerLicensing** Office shared computer licensing policies. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync @@ -4534,6 +4745,250 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig + +This critical device configuration event provides information about drivers for a driver installation that took place within the kernel. + +The following fields are available: + +- **ClassGuid** The unique ID for the device class. +- **DeviceInstanceId** The unique ID for the device on the system. +- **DriverDate** The date of the driver. +- **DriverFlightIds** The IDs for the driver flights. +- **DriverInfName** Driver INF file name. +- **DriverProvider** The driver manufacturer or provider. +- **DriverSubmissionId** The driver submission ID assigned by the hardware developer center. +- **DriverVersion** The driver version number. +- **ExtensionDrivers** The list of extension driver INF files, extension IDs, and associated flight IDs. +- **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. +- **InboxDriver** Indicates whether the driver package is included with Windows. +- **InstallDate** Date the driver was installed. +- **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. +- **Legacy** Indicates whether the driver is a legacy driver. +- **NeedReboot** Indicates whether the driver requires a reboot. +- **SetupMode** Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE). +- **StatusCode** The NTSTATUS of device configuration operation. + + +### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem + +This event is sent when a problem code is cleared from a device. + +The following fields are available: + +- **Count** The total number of events. +- **DeviceInstanceId** The unique identifier of the device on the system. +- **LastProblem** The previous problem that was cleared. +- **LastProblemStatus** The previous NTSTATUS value that was cleared. +- **Problem** The new problem code set on the device node. +- **ProblemStatus** The new NT_STATUS set on the device node. +- **ServiceName** The name of the driver or service attached to the device. + + +### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem + +This event is sent when a new problem code is assigned to a device. + +The following fields are available: + +- **Count** The total number of events. +- **DeviceInstanceId** The unique identifier of the device in the system. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous NTSTATUS value that was set on the device. +- **Problem** The new problem code that was set on the device. +- **ProblemStatus** The new NTSTATUS value that was set on the device. +- **ServiceName** The driver or service name that is attached to the device. + + +## Microsoft Edge events + +### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config + +This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config + +This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config + +This event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + +### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping + +This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. + +The following fields are available: + +- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''. +- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update. +- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown). +- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev). +- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''. +- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. +- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. Default: '-2' (Unknown). +- **appExperiments** A semicolon-delimited key/value list of experiment identifiers and treatment groups. This field is unused and always empty in Edge Update. Default: ''. +- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. +- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. +- **appNextVersion** The version of the app that the update attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'. +- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. +- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'. +- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventEventResult** An enumeration indicating the result of the event. Common values are '0' (Error) and '1' (Success). Default: '0' (Error). +- **appPingEventEventType** An enumeration indicating the type of the event and the event stage. Default: '0' (Unknown). +- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. +- **appPingEventSequenceId** An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. +- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a tag. +- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. +- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' MUST match '1.2.3.4' but MUST NOT match '1.2.34'). Default: ''. +- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request is sent over SSL or another secure protocol. This field is unused by Edge Update and always empty. Default: ''. +- **appVersion** The version of the product install. Default: '0.0.0.0'. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **eventType** A string representation of appPingEventEventType indicating the type of the event. +- **hwHasAvx** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'. +- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'. +- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''. +- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with minimal formatting. Default: ''. +- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''. +- **osVersion** The primary version of the operating system. '' if unknown. Default: ''. +- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'. +- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''. +- **requestDomainJoined** '1' if the device is part of a managed enterprise domain. Otherwise '0'. +- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''. +- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'. +- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''. +- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'. +- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients MUST always transmit this attribute. Default: undefined. +- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Default: ''. +- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''. +- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique sessionid. Default: ''. +- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''. +- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt should have (with high probability) a unique request id. Default: ''. + + +### Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config + +This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. + +The following fields are available: + +- **app_version** The internal Microsoft Edge build version string. +- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). +- **Channel** An integer indicating the channel of the installation (Canary or Dev). +- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled. +- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth +- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode. +- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode. +- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full +- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. +- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). +- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. +- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. +- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level +- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. + + ## Migration events ### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr @@ -4747,6 +5202,7 @@ This event determines the error code that was returned when verifying Internet c The following fields are available: +- **failedCheck** The error code returned by the operation. - **winInetError** The HResult of the operation. @@ -4802,6 +5258,23 @@ The following fields are available: - **originatingContextName** The name of the originating call context that resulted in the failure. - **threadId** The ID of the thread on which the activity is executing. +## Privacy notifier events + + +### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted + +This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue. + +The following fields are available: + +- **cleanupTask** Indicates whether the task that launched the dialog should be cleaned up. +- **cleanupTaskResult** The return code of the attempt to clean up the task used to show the dialog. +- **deviceEvaluated** Indicates whether the device was eligible for evaluation of a known issue. +- **deviceImpacted** Indicates whether the device was impacted by a known issue. +- **modalAction** The action the user took on the dialog that was presented to them. +- **modalResult** The return code of the attempt to show a dialog to the user explaining the issue. +- **resetSettingsResult** The return code of the action to correct the known issue. + ## Remediation events @@ -4880,24 +5353,11 @@ The following fields are available: - **QualityUpdateSedimentTargetedTriggers** Provides information about remediations that are applicable to enable Quality Updates on the device. - **RegkeysExist** Indicates whether specified registry keys exist. - **Reload** True if SIH reload is required. -- **RemediationAutoUAAcLineStatus** Indicates the power status returned by the Automatic Update Assistant tool. -- **RemediationAutoUAAutoStartCount** Indicates the number of times the Automatic Update Assistant tool has automatically started. -- **RemediationAutoUACalendarTaskEnabled** Indicates whether an Automatic Update Assistant tool task is enabled. -- **RemediationAutoUACalendarTaskExists** Indicates whether an Automatic Update Assistant tool task exists. -- **RemediationAutoUACalendarTaskTriggerEnabledCount** Indicates the number of times an Automatic Update Assistant tool task has been triggered. -- **RemediationAutoUADaysSinceLastTaskRunTime** Indicates the last run time an Automatic Update Assistant tool task was run. -- **RemediationAutoUAGetCurrentSize** Indicates the current size of the Automatic Update Assistant tool. +- **RemediationAutoUACleanupNeeded** Automatic Update Assistant cleanup is required. - **RemediationAutoUAIsInstalled** Indicates whether the Automatic Update Assistant tool is installed. -- **RemediationAutoUALastTaskRunResult** Indicates the result from the last time the Automatic Update Assistant tool was run. -- **RemediationAutoUAMeteredNetwork** Indicates whether the Automatic Update Assistant tool is running on a metered network. -- **RemediationAutoUATaskEnabled** Indicates whether the Automatic Update Assistant tool task is enabled. -- **RemediationAutoUATaskExists** Indicates whether an Automatic Update Assistant tool task exists. +- **RemediationAutoUATaskDisabled** Indicates whether the Automatic Update Assistant tool task is disabled. +- **RemediationAutoUATaskNotExists** Indicates whether an Automatic Update Assistant tool task does not exist. - **RemediationAutoUATasksStalled** Indicates whether an Automatic Update Assistant tool task is stalled. -- **RemediationAutoUATaskTriggerEnabledCount** Indicates how many times an Automatic Update Assistant tool task was triggered. -- **RemediationAutoUAUAExitCode** Indicates any exit code provided by the Automatic Update Assistant tool. -- **RemediationAutoUAUAExitState** Indicates the exit state of the Automatic Update Assistant tool. -- **RemediationAutoUAUserLoggedIn** Indicates whether a user is logged in. -- **RemediationAutoUAUserLoggedInAdmin** Indicates whether a user is logged in as an Administrator. - **RemediationCorruptionRepairBuildNumber** The build number to use to repair corruption. - **RemediationCorruptionRepairCorruptionsDetected** Indicates whether corruption was detected. - **RemediationCorruptionRepairDetected** Indicates whether an attempt was made to repair the corruption. @@ -5010,6 +5470,7 @@ The following fields are available: - **branchReadinessLevel** Branch readiness level policy. - **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. - **CV** The Correlation Vector. +- **DateTimeDifference** The difference between the local and reference clocks. - **DiskFreeSpaceAfterSedimentPackInMB** The amount of free disk space (in megabytes) after executing the Sediment Pack. - **DiskFreeSpaceBeforeSedimentPackInMB** The amount of free disk space (in megabytes) before executing the Sediment Pack. - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. @@ -5038,6 +5499,7 @@ The following fields are available: - **QualityUpdateSedimentMatchedTriggers** The list of triggers that were matched by the Windows Quality Update remediation. - **QualityUpdateSedimentModelExecutionSeconds** The number of seconds needed to execute the Windows Quality Update remediation. - **recoveredFromTargetOS** Indicates whether the device recovered from the target operating system (OS). +- **RemediationAutoUASpaceSaved** Amount of disk space saved in MB after cleaning up AutoUA folders. - **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. - **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. - **RemediationBatteryPowerOnBattery** True if we allow execution on battery. @@ -5046,8 +5508,12 @@ The following fields are available: - **RemediationComponentCleanupEstimateInMB** The amount of space (megabytes) in the WinSxS (Windows Side-by-Side) folder that is available for cleanup by the plug-in. - **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. - **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. +- **RemediationCorruptionIsManifestFix** Boolean indicating if the manifest was repaired. - **RemediationCorruptionRepairCorruptionsDetected** Number of corruptions detected on the device. - **RemediationCorruptionRepairCorruptionsFixed** Number of detected corruptions that were fixed on the device. +- **RemediationCorruptionRepairDownloadCompleted** Boolean indicating if the download of manifest cab was completed. +- **RemediationCorruptionRepairDownloadRequired** Boolean indicating if the download of manifest cab is required for repair. +- **RemediationCorruptionRepairMeteredNetwork** Boolean indicating if the device is on a metered network. - **RemediationCorruptionRepairPerformActionSuccessful** Indicates whether corruption repair was successful on the device. - **RemediationDiskCleanupSearchFileSizeInMB** The size of the Cleanup Search index file, measured in megabytes. - **RemediationDiskSpaceSavedByCompressionInMB** The amount of disk space (megabytes) that was compressed by the plug-in. @@ -5096,6 +5562,7 @@ The following fields are available: - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive, in megabytes. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **uninstallActive** TRUE if previous uninstall has occurred for current OS +- **UpdateApplicabilityFixedBitMap** Bitmap indicating which fixes were applied by the plugin. - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. - **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. @@ -5357,6 +5824,45 @@ The following fields are available: - **WUDeviceID** The unique identifier controlled by the software distribution client. +### SIHEngineTelemetry.ExecuteAction + +This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. + +The following fields are available: + +- **CachedEngineVersion** The engine DLL version that is being used. +- **EventInstanceID** A unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **RebootRequired** Indicates if a reboot was required to complete the action. +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). +- **SihclientVersion** The SIH version. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateID** A unique identifier for the action being acted upon. +- **WuapiVersion** The Windows Update API version. +- **WuaucltVersion** The Windows Update version identifier for SIH. +- **WuauengVersion** The Windows Update engine version identifier. +- **WUDeviceID** The unique identifier controlled by the software distribution client. + + +### SIHEngineTelemetry.PostRebootReport + +This event reports the status of an action following a reboot, should one have been required. + +The following fields are available: + +- **CachedEngineVersion** The engine DLL version that is being used. +- **EventInstanceID** A unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). +- **SihclientVersion** Version of SIH Client on the device. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateID** A unique identifier for the action being acted upon. +- **WuapiVersion** Version of Windows Update DLL on the device. +- **WuaucltVersion** Version of WUAUCLT (Windows Update Auto-Update Client) on the device. +- **WuauengVersion** Version of Windows Update (Auto-Update) engine on the device. +- **WUDeviceID** The unique identifier controlled by the software distribution client. + + ## Software update events ### SoftwareUpdateClientTelemetry.CheckForUpdates @@ -5511,6 +6017,7 @@ The following fields are available: - **DeviceModel** The model of the device. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. - **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events. - **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. @@ -5818,12 +6325,12 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. - **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. - **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. - **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce - **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). - **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. @@ -5834,8 +6341,8 @@ The following fields are available: - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** An encoded string of the timestamp token. - **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. - **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. - **UpdateId** The update ID for a specific piece of content. @@ -5854,7 +6361,6 @@ The following fields are available: - **UsageMean** The mean of hourly average CPU usage. - **UsageMedian** The median of hourly average CPU usage. - **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. -- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. ### Microsoft.Windows.Srum.Sdp.NetworkUsage @@ -5868,7 +6374,6 @@ The following fields are available: - **BytesTotalMean** The mean of the hourly average bytes total. - **BytesTotalMedian** The median of the hourly average bytes total. - **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. -- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. - **LinkSpeed** The adapter link speed. @@ -5914,7 +6419,9 @@ This event sends data for the download request phase of updating Windows via the The following fields are available: +- **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload. - **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadComplete** Indicates if the download is complete. - **DownloadRequests** Number of times a download was retried. - **ErrorCode** The error code returned for the current download request phase. - **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. @@ -6136,12 +6643,15 @@ The following fields are available: - **ErrorCode** The error code returned for the current reboot. - **FlightId** Unique ID for the flight (test instance version). +- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE. - **ObjectId** The unique value for each Update Agent mode. +- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0. - **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. - **Result** The HResult of the event. - **ScenarioId** The ID of the update scenario. - **SessionId** The ID of the update attempt. - **UpdateId** The ID of the update. +- **UpdateState** Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit. ### Update360Telemetry.UpdateAgentSetupBoxLaunch @@ -6160,6 +6670,7 @@ The following fields are available: - **SandboxSize** Size of the sandbox. - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. +- **SetupLaunchAttemptCount** Indicates the count of attempts to launch setup for the current Update Agent instance. - **SetupMode** Mode of setup to be launched. - **UpdateId** Unique ID for each Update. - **UserSession** Indicates whether install was invoked by user actions. @@ -6167,6 +6678,22 @@ The following fields are available: ## Update notification events +### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat + +This event is sent at the start of each campaign, to be used as a heartbeat. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Current campaign that is running on Update Notification Pipeline. +- **ConfigCatalogVersion** Current catalog version of Update Notification Pipeline. +- **ContentVersion** Content version for the current campaign on Update Notification Pipeline. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on Update Notification Pipeline. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **PackageVersion** Current package version for Update Notification Pipeline. + + ### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. @@ -6183,11 +6710,28 @@ The following fields are available: - **PackageVersion** Current UNP package version. +### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed + +This event is sent when the Campaign Manager encounters an unexpected error while running the campaign. + +The following fields are available: + +- **CampaignConfigVersion** Configuration version for the current campaign. +- **CampaignID** Currently campaign that's running on Update Notification Pipeline (UNP). +- **ConfigCatalogVersion** Current catalog version of UNP. +- **ContentVersion** Content version for the current campaign on UNP. +- **CV** Correlation vector. +- **DetectorVersion** Most recently run detector version for the current campaign on UNP. +- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user. +- **hresult** HRESULT of the failure. +- **PackageVersion** Current UNP package version. + + ## Upgrade events ### FacilitatorTelemetry.DCATDownload -This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up to date and secure. The following fields are available: @@ -6206,13 +6750,8 @@ This event returns data about the download of supplemental packages critical to The following fields are available: -- **DownloadRequestAttributes** The attributes sent for download. - **PackageCategoriesFailed** Lists the categories of packages that failed to download. - **PackageCategoriesSkipped** Lists the categories of package downloads that were skipped. -- **ResultCode** The result of the event execution. -- **Scenario** Identifies the active Download scenario. -- **Url** The URL the download request was sent to. -- **Version** Identifies the version of Facilitator used. ### FacilitatorTelemetry.InitializeDU @@ -6231,7 +6770,7 @@ The following fields are available: ### Setup360Telemetry.Downlevel -This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up to date and secure. The following fields are available: @@ -6512,7 +7051,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -6573,6 +7112,18 @@ The following fields are available: - **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. ## Windows Error Reporting MTT events @@ -6587,28 +7138,8 @@ The following fields are available: - **Value** Standard UTC emitted DP value structure See [Value](#value). -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. - - ## Windows Store events -### Microsoft.Windows.Store.StoreActivating - -This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. - - - ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -6697,6 +7228,7 @@ The following fields are available: - **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. - **AttemptNumber** The total number of attempts to acquire this product. +- **BundleId** The identity of the test build (flight) associated with this product. - **CategoryId** The identity of the package or packages being installed. - **ClientAppId** The identity of the app that initiated this operation. - **HResult** HResult code to show the result of the operation (success/failure). @@ -6706,6 +7238,7 @@ The following fields are available: - **IsRemediation** Is this repairing a previous installation? - **IsRestore** Is this happening after a device restore? - **IsUpdate** Is this an update? +- **ParentBundleId** The product identifier of the parent if this product is part of a bundle. - **PFN** Product Family Name of the product being installed. - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The number of attempts by the system to acquire this product. @@ -6996,6 +7529,11 @@ This event sends simple Product and Service usage data when a user is using the The following fields are available: - **Phase** The image creation phase. Values are “Start” or “End”. +- **Result** Result of the image creation phase. Indicates if the image was created successfully. Value is integer. +- **WorkspaceArchitecture** Architecture of image created. +- **WorkspaceOsEdition** OSEdition of the image created. +- **WskImageEnvironment** Type of environment image was created for "Lab" or "Non-Lab". +- **WskSessionId** A string identifier (GUID) for the workspace. - **WskVersion** The version of the Windows System Kit being used. @@ -7009,7 +7547,9 @@ The following fields are available: - **CustomizationType** Indicates the type of customization (drivers or apps). - **Mode** The mode of update to image configuration files. Values are “New” or “Update”. - **Phase** The image creation phase. Values are “Start” or “End”. +- **Result** Result of the image creation phase. - **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskSessionId** A string identifier (GUID) for the workspace. - **WskVersion** The version of the Windows System Kit being used. @@ -7022,11 +7562,21 @@ The following fields are available: - **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. - **OsEdition** The Operating System Edition that the workspace will target. - **Phase** The image creation phase. Values are “Start” or “End”. +- **Result** Stage result. Values are integers. - **WorkspaceArchitecture** The operating system architecture that the workspace will target. - **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskSessionId** A string identifier (GUID) for the workspace. - **WskVersion** The version of the Windows System Kit being used. +## Windows Update CSP events + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted + +This event sends basic information indicating that Feature Rollback has started. + + + ## Windows Update Delivery Optimization events ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled @@ -7100,6 +7650,7 @@ The following fields are available: - **groupConnectionCount** The total number of connections made to peers in the same group. - **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. - **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isThrottled** Indicates the Event Rate was throttled (event represent aggregated data). - **isVpn** Is the device connected to a Virtual Private Network? - **jobID** Identifier for the Windows Update job. - **lanConnectionCount** The total number of connections made to peers in the same LAN. @@ -7504,6 +8055,16 @@ The following fields are available: - **wuDeviceid** Device ID. +### Microsoft.Windows.Update.Orchestrator.CommitFailed + +This event indicates that a device was unable to restart after an update. + +The following fields are available: + +- **errorCode** The error code that was returned. +- **wuDeviceid** The Windows Update device GUID. + + ### Microsoft.Windows.Update.Orchestrator.DeferRestart This event indicates that a restart required for installing updates was postponed. @@ -7545,6 +8106,39 @@ The following fields are available: - **wuDeviceid** The unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.DetectionActivity + +This event returns data about detected updates, as well as the types of update (optional or recommended). This data helps keep Windows up to date. + +The following fields are available: + +- **applicableUpdateIdList** The list of update identifiers. +- **applicableUpdateList** The list of available updates. +- **durationInSeconds** The amount of time (in seconds) it took for the event to run. +- **expeditedMode** Indicates whether Expedited Mode is on. +- **networkCostPolicy** The network cost. +- **scanTriggerSource** Indicates whether the scan is Interactive or Background. +- **scenario** The result code of the event. +- **scenarioReason** The reason for the result code (scenario). +- **seekerUpdateIdList** The list of “seeker” update identifiers. +- **seekerUpdateList** The list of “seeker” updates. +- **services** The list of services that were called during update. +- **wilActivity** The activity results. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Update.Orchestrator.DetectionResult + +This event runs when an update is detected. This helps ensure Windows is kept up to date. + +The following fields are available: + +- **applicableUpdateIdList** A list of applicable update IDs. +- **applicableUpdateList** A list of applicable update names. +- **seekerUpdateIdList** A list of optional update IDs. +- **seekerUpdateList** A list of optional update names. +- **wuDeviceid** The Windows Update device identifier. + + ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded This event indicates the reboot was postponed due to needing a display. @@ -7720,6 +8314,23 @@ The following fields are available: - **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). +### Microsoft.Windows.Update.Orchestrator.PostInstall + +This event is sent after a Windows update install completes. + +The following fields are available: + +- **batteryLevel** Current battery capacity in megawatt-hours (mWh) or percentage left. +- **bundleId** The unique identifier associated with the specific content bundle. +- **bundleRevisionnumber** Identifies the revision number of the content bundle. +- **errorCode** The error code returned for the current phase. +- **eventScenario** State of update action. +- **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. +- **sessionType** The Windows Update session type (Interactive or Background). +- **updateScenarioType** Identifies the type of Update session being performed. +- **wuDeviceid** The unique device identifier used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart This event is generated before the shutdown and commit operations. @@ -7791,6 +8402,32 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable + +This event defines when an optional update is available for the device to help keep Windows up to date. + +The following fields are available: + +- **flightID** The unique identifier of the Windows Insider build on this device. +- **isFeatureUpdate** Indicates whether the update is a Feature Update. +- **revisionNumber** The revision number of the update. +- **updateId** The GUID (Globally Unique Identifier) of the update. +- **wuDeviceid** The Windows Update device identifier. + + +### Microsoft.Windows.Update.Orchestrator.SeekUpdate + +This event occurs when user initiates "seeker" scan. This helps keep Windows up to date. + +The following fields are available: + +- **flightID** The ID of the Windows Insider builds on the device. +- **isFeatureUpdate** Indicates that the target of the Seek is a feature update. +- **revisionNumber** The revision number of the update. +- **updateId** The identifier of the update. +- **wuDeviceid** The Windows Update device identifier. + + ### Microsoft.Windows.Update.Orchestrator.StickUpdate This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. @@ -8018,19 +8655,19 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** Unique identifier for each flight. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Correlation vector value generated from the latest USO scan. -- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them. -- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation. -- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required. -- **ReparsePointsSkipped** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ReparsePointsFailed** Number of reparse points that were corrupted but were not fixed by this mitigation. +- **ReparsePointsFixed** Number of reparse points that were corrupted and were fixed by this mitigation. +- **ReparsePointsSkipped** Number of reparse points that are not corrupted and no action is required. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique ID for the update session. +- **UpdateId** Unique ID for the Windows Update. - **WuId** Unique ID for the Windows Update client. @@ -8103,6 +8740,7 @@ This event is sent when the Update Reserve Manager prepares the Trusted Installe The following fields are available: +- **FallbackLogicUsed** Indicates whether fallback logic was used for initialization. - **Flags** The flags that are passed to the function to prepare the Trusted Installer for reserve initialization. diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 780532c8fb..9891ddf467 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index b7c13357d2..d38454e785 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 20cdc6691b..af729c8f0f 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 259b1f258f..397f577291 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index b45f2a51e5..51ee30b209 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index 695f9e9477..b1bf959c78 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml index ac72f26612..61f2073d2e 100644 --- a/windows/release-information/status-windows-10-1909.yml +++ b/windows/release-information/status-windows-10-1909.yml @@ -33,11 +33,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index dadedc3369..574e1ff814 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 3db7d9a3ea..388b55fa0a 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index ba7311b1cc..0a5c7ee17d 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index ae33c73b72..96c3cad5e2 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -29,11 +29,11 @@ sections: columns: 3 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index e8c99b7485..ee042491ec 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -23,11 +23,11 @@ sections: columns: 2 items: - - href: https://aka.ms/how-to-get-1909 - html: Get the update > + - href: https://www.microsoft.com/en-us/microsoft-365/blog/2020/01/14/windows-7-support-ends-today-and-windows-10-is-better-than-ever/ + html: Find out what you need to know > image: - src: http://docs.microsoft.com/media/common/i_download-install.svg - title: Windows 10, version 1909 now available + src: https://docs.microsoft.com/media/common/i_alert.svg + title: Windows 7 has reached end of support - href: https://aka.ms/1909mechanics html: Explore the improvements > image: @@ -50,8 +50,9 @@ sections: text: " + - + diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 610edeb54d..69155363d3 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -86,6 +86,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic ``` dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` +> [!NOTE] +> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 72257804e5..d1efe88759 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -68,3 +68,5 @@ Following are the various deployment guides and models included in this topic: Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. +> [!NOTE] +> You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 9874fcd53a..54e4021adc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -58,6 +58,9 @@ To resolve this issue, the CRL distribution point must be a location that is acc If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. +> [!NOTE] +> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. + ### Windows Server 2016 Domain Controllers If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -335,6 +338,3 @@ Sign-in a workstation with access equivalent to a _domain user_. If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). - - - diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 8ed6db6fb4..f7a5eed854 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -118,6 +118,11 @@ Hybrid certificate trust deployments need the device write back feature. Authen > [!NOTE] > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object. +## Provisioning + +You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. + + ### Section Checklist ### > [!div class="checklist"] > * Azure Active Directory Device writeback diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index e2d7d4fc9c..16c17aa3f9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -31,7 +31,7 @@ In hybrid deployments, users register the public portion of their Windows Hello The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. > [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. +> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article. ### Configure Permissions for Key Synchronization @@ -56,9 +56,6 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. - >[!IMPORTANT] - > If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created. - 3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. 4. Click the **Members** tab and click **Add** 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d2694a48af..d2b1de480f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -40,7 +40,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. -You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. @@ -125,7 +125,11 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth ## Device Registration Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. - + +## Provisioning + +You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. + ### Section Checklist diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5f6fb9480c..57a2493e4c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -196,7 +196,7 @@ Alternatively, you can forcefully trigger automatic certificate enrollment using Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. -## Follow the Windows Hello for Business on premises certificate trust deployment guide +## Follow the Windows Hello for Business on premises key trust deployment guide 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. Validate and Configure Public Key Infrastructure (*You are here*) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 2e4f0f0749..288347b3aa 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -1,9 +1,9 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) +title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,26 +15,29 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/13/2019 +ms.date: 01/09/2020 --- -# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager +# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager **Applies to:** - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -- System Center Configuration Manager +- Microsoft Endpoint Configuration Manager -System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy -After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. +After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. + +>[!TIP] +> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues. **To create a configuration item for WIP** -1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. +1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. @@ -43,7 +46,7 @@ The **Create Configuration Item Wizard** starts. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -62,7 +65,7 @@ The **Create Configuration Item Wizard** starts. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. @@ -295,9 +298,9 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager. +12. After you’ve created your XML file, you need to import it by using Configuration Manager. -**To import your Applocker policy file app rule using System Center Configuration Manager** +**To import your Applocker policy file app rule using Configuration Manager** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. @@ -506,3 +509,5 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) + +- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index a0cee44011..84f646914b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -121,6 +121,7 @@ ##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md) ##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md) ##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md) +##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md) ##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md) ##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md) ##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md index 4d241c4a55..c7fd28fc75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md @@ -26,7 +26,7 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. +The `AlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md new file mode 100644 index 0000000000..e12b58d2c7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md @@ -0,0 +1,60 @@ +--- +title: DeviceFileCertificateInfoBeta table in the advanced hunting schema +description: Learn about file signing information in the DeviceFileCertificateInfoBeta table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfoBeta +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 01/14/2020 +--- + +# DeviceFileCertificateInfoBeta + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceFileCertificateInfoBeta` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. + +For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `Timestamp` | datetime | Date and time when the event was recorded | +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `SHA1` | string | SHA-1 of the file that the recorded action was applied to | +| `IsSigned` | boolean | Indicates whether the file is signed | +| `SignatureType` | string | Indicates whether signature information was read as embedded | content in the file itself or read from an external catalog file | +| `Signer` | string | Information about the signer of the file | +| `SignerHash` | string | Unique hash value identifying the signer | +| `Issuer` | string | Information about the issuing certificate authority (CA) | +| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) | +| `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) | +| `CrlDistributionPointUrls` | string | JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) | +| `CertificateCreationTime` | datetime | Date and time the certificate was created | +| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire | +| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned | +| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes | +| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft | +| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. | + + +## Related topics +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index e1cbdc7933..85f9a0c799 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -23,8 +23,7 @@ ms.date: 10/08/2019 **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query. @@ -141,5 +140,4 @@ For detailed information about the query language, see [Kusto query language doc - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -> [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 7c64003218..8eb7542ce5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/08/2019 +ms.date: 01/14/2020 --- # Understand the advanced hunting schema @@ -47,6 +47,7 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events | | **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceFileCertificateInfoBeta](advanced-hunting-devicefilecertificateinfobeta-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints | | **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | | **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype-swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype-swupdatefilter.png new file mode 100644 index 0000000000..7bea07f260 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype-swupdatefilter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png index 76dce431e1..7bea07f260 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png and b/windows/security/threat-protection/microsoft-defender-atp/images/remediationtype_swupdatefilter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png new file mode 100644 index 0000000000..ca51512b09 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png index 5d1588dee2..ca51512b09 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyouteolsw.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracy.png new file mode 100644 index 0000000000..4b1c91c9e4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracy.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyflyout.png new file mode 100644 index 0000000000..9af2ad6945 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyflyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyoptions.png new file mode 100644 index 0000000000..09c4876e1d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-inaccuracyoptions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png new file mode 100644 index 0000000000..80dbf3635b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec_updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec_updated.png new file mode 100644 index 0000000000..80dbf3635b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec_updated.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 6cad2a8034..be43f23ee8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -63,7 +63,7 @@ The three most recent major releases of macOS are supported. - 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) - Disk space: 650 MB -Beta versions of macOS are not supported. macOS Sierra (10.12) support will end on January 1, 2020. +Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020. After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 4f71aff441..047a7888c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -47,18 +47,19 @@ You can access the security recommendation from the Microsoft Defender ATP Threa *Security recommendations option from the left navigation menu* 1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities. -![Screenshot of Security recommendations page](images/tvm_securityrecommendation-graph.png) +![Screenshot of Security recommendations page](images/tvmsecrec-updated.png) >[!NOTE] > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left, which means an increase or decrease at the end of even a single machine will change the graph's color. You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**. -

![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype_swupdatefilter.png) +

![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype-swupdatefilter.png) 2. Select the security recommendation that you need to investigate or process. -

![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec_flyouteolsw.png) +

![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png) - *Top security recommendations from the dashboard* + +*Top security recommendations from the dashboard* In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. @@ -81,12 +82,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 1. Select the **Security recommendation** tab. 2. Click **:** beside the security recommendation that you want to report about, then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm_report_inaccuracy.png) +![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm-report-inaccuracy.png)
A flyout pane opens.
-![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracyflyout.png) +![Screenshot of Report inaccuracy flyout pane](images/tvm-report-inaccuracyflyout.png) 3. From the flyout pane, select the inaccuracy category from the drop-down menu. -
![Screenshot of Report inaccuracy categories drop-down menu](images/tvm_report_inaccuracyoptions.png)
+
![Screenshot of Report inaccuracy categories drop-down menu](images/tvm-report-inaccuracyoptions.png)
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 802f0fdc28..92ffe6cd6c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -19,7 +19,7 @@ ms.date: 04/19/2017 # Interactive logon: Do not require CTRL+ALT+DEL **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting. @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. -If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon). @@ -37,13 +37,13 @@ A malicious user might install malware that looks like the standard logon dialog ### Possible values -- Enabled -- Disabled -- Not defined +- Enabled +- Disabled +- Not defined ### Best practices -- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. +- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. ### Location diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index c4c23a9ddd..1cae26190b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -23,11 +23,11 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. +This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. -On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process: +On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps: 1. Open an administrator-level version of the command prompt as follows: @@ -37,19 +37,15 @@ On at least two endpoints that are not reporting or showing up in Update Complia c. Enter administrator credentials or approve the prompt. -2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example: +2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`. - ```Dos - cd c:\program files\windows\defender - ``` - -3. Enter the following command and press **Enter** +3. Type the following command, and then press **Enter** ```Dos mpcmdrun -getfiles ``` -4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. +4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. 5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 7bee1e3696..a76c0ab71a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -32,11 +32,11 @@ You can manage and configure Windows Defender Antivirus with the following tools - Windows Management Instrumentation (WMI) - The mpcmdrun.exe utility -The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus. +The articles in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus. ## In this section -Topic | Description +Article | Description ---|--- [Manage Windows Defender Antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus [Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 5d969e79a9..1799b30b71 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 10/25/2018 ms.reviewer: manager: dansimp @@ -30,11 +29,11 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic -**Use Configuration Manager to configure scanning options:** +## Use Configuration Manager to configure scanning options: See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). -**Use Group Policy to configure scanning options** +## Use Group Policy to configure scanning options To configure the Group Policy settings described in the following table: @@ -63,15 +62,15 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif >[!NOTE] >If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. -**Use PowerShell to configure scanning options** +## Use PowerShell to configure scanning options See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use WMI to configure scanning options** +## Use WMI to configure scanning options For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). -### Email scanning limitations +## Email scanning limitations We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png b/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png new file mode 100644 index 0000000000..37604390f6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/tamperprotectionturnedon.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index b2195fe31d..21736ff5a6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -66,7 +66,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And, > > Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. -If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to perform the following task. +If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this. 1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. @@ -76,21 +76,24 @@ If you are a home user, or you are not subject to settings managed by a security Here's what you see in the Windows Security app: -![Turning tamper protection on in Windows 10 Home](images/turnontamperprotect-consumer.png) +![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png) ## Turn tamper protection on (or off) for your organization using Intune -If you are part of your organization's security team, you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). (This feature is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below.) +If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)). + +> [!NOTE] +> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below. You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. 1. Make sure your organization meets all of the following requirements: - - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.) - - Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities). + - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)). + - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) - Your Windows machines must be running Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).) + - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).) 2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. @@ -116,7 +119,7 @@ Here's what you see in the Windows Security app: ### Are you using Windows OS 1709, 1803, or 1809? -If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, the one of the following procedures to determine whether tamper protection is enabled. +If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. #### Use PowerShell to determine whether tamper protection is turned @@ -126,16 +129,6 @@ If you are using Windows OS [1709](https://docs.microsoft.com/windows/release-in 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.) -#### View a registry key value to determine whether tamper protection is turned on - -1. Open the Registry Editor app. - -2. Go to **HKEY_LOCAL_MACHINE** > **SOFTWARE** > **Microsoft** > **Windows Defender** > **Features**. - -3. Look for an entry of **TamperProtection** of type **REG_DWORD**, with a value of **0x5**.
- - If you see **TamperProtection** with a value of **0**, tamper protection is not turned on. - - If you do not see **TamperProtection** at all, tamper protection is not turned on. - ## View information about tampering attempts Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index 4187645c2e..8837f79190 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 ms.reviewer: manager: dansimp --- @@ -127,8 +126,8 @@ See the following for more information: 3. Select **Windows Defender Offline scan** and click **Scan now**. -> [!NOTE] -> In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. + > [!NOTE] + > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. ## Review scan results diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 5935c90319..be4f7240f1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 ms.reviewer: manager: dansimp --- @@ -47,7 +46,7 @@ See the [Windows Security topic](/windows/threat-protection/windows-defender-sec 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). -![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) ## Comparison of settings and functions of the old app and the new app @@ -96,7 +95,7 @@ This section describes how to perform some of the most common tasks when reviewi 3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. -![Security intelligence version number information](images/defender/wdav-wdsc-defs.png) + ![Security intelligence version number information](images/defender/wdav-wdsc-defs.png) 4. Click **Check for updates** to download new protection updates (if there are any). @@ -111,9 +110,9 @@ This section describes how to perform some of the most common tasks when reviewi 4. Toggle the **Real-time protection** switch to **On**. ->[!NOTE] ->If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. ->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). + >[!NOTE] + >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. + >If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). @@ -129,18 +128,20 @@ This section describes how to perform some of the most common tasks when reviewi 4. Under the **Exclusions** setting, click **Add or remove exclusions**. 5. Click the plus icon to choose the type and set the options for each exclusion. - ### Review threat detection history in the Windows Defender Security Center app -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Threat history**. - -4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). + + 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or  + searching the start menu for **Defender**. + 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + + 3. Click **Threat history** + + 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**,  + **Allowed threats**). + ### Set ransomware protection and recovery options diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 133cd1426f..8f28ada884 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -40,7 +40,7 @@ Before you begin this process, you need to create a WDAC policy binary file. If > > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. -3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. +3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. > [!Note] > diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 9633a7cf60..26bd6f527f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -67,7 +67,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | -| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection of enforcing user-writeability and only allowing admin-writeable locations. | +| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for the path specified in the FilePathRule parameter of the New-CIPolicyRule cmdlet. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. | ## Windows Defender Application Control file rule levels

MessageDate
Windows 7 has reached end of support
Windows 7 reached end of support on January 14, 2020. If your organization has not yet been able to complete your transition from Windows 7 to Windows 10, and want to continue to receive security updates while you complete your upgrade projects, please read How to get Extended Security Updates for eligible Windows devices. For more information on end of service dates for currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
January 15, 2020
10:00 AM PT
Take action: January 2020 security update available for all supported versions of Windows
The January 2020 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
January 14, 2020
08:00 AM PT
Advisory: Windows CryptoAPI certificate validation vulnerability
On January 14, 2020, Microsoft released security updates to address an elliptic-curve cryptography (ECC) certificate validation issue in the Windows CryptoAPI. This vulnerability applies to all versions of the Windows 10 operating system, client and server. While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to all of your Windows 10 devices with priority. Here is what you need to know:
  • If you are running a supported version of Windows 10 and have automatic updates enabled, you are automatically protected and do not need to take any further action.
  • If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows 10 devices and servers as soon as possible.
If you are running an unsupported version of Windows 10, we recommend that you upgrade to the current version of Windows 10 to benefit from the latest security protections. For more information about this vulnerability, see the Microsoft Security Guidance for CVE-2020-0601 and the Microsoft Security Response Center blog, January 2020 Security Updates: CVE-2020-0601.
January 14, 2020
08:00 AM PT
Advisory: Windows CryptoAPI certificate validation vulnerability
On January 14, 2020, Microsoft released security updates to address an elliptic-curve cryptography (ECC) certificate validation issue in the Windows CryptoAPI. This vulnerability applies to all versions of the Windows 10 operating system, client and server. While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to all of your Windows 10 devices with priority. Here is what you need to know:
  • If you are running a supported version of Windows 10 and have automatic updates enabled, you are automatically protected and do not need to take any further action.
  • If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows 10 devices and servers as soon as possible.
If you are running an unsupported version of Windows 10, we recommend that you upgrade to the current version of Windows 10 to benefit from the latest security protections. For more information about this vulnerability, see the Microsoft Security Guidance for CVE-2020-0601 and the Microsoft Security Response Center blog, January 2020 Security Updates: CVE-2020-0601.
January 14, 2020
08:00 AM PT
Take action: December 2019 security update available for all supported versions of Windows
The December 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1909 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
December 10, 2019
08:00 AM PT
Timing of Windows 10 optional update releases (December 2019)
For the balance of this calendar year, there will be no optional non-security “C” and “D” releases for Windows 10. The \"C\" releases normally target the third week of the month, with \"D\" releases targeting the fourth week. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer.
December 10, 2019
08:00 AM PT
Windows 10, version 1909 now available
Learn how to get Windows 10, version 1909 (the November 2019 Update), and explore how we’ve worked to make this a great experience for all devices, including a new, streamlined (and fast) update experience for devices updating directly from the May 2019 Update.
November 12, 2019
10:00 AM PT