From 0e62554ad36a0bf8cf9e857049be5aceafc81d37 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Sep 2020 16:47:37 +0530 Subject: [PATCH 001/106] Update-bl-ovw-4318240 --- .../bitlocker/bitlocker-overview.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 131a256f82..8dff04be1f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -29,9 +29,9 @@ This topic provides a high-level overview of BitLocker, including a list of syst BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. +BitLocker provides the maximum protection when used with a trusted platform module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. -On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. +On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. @@ -39,13 +39,13 @@ In addition to the TPM, BitLocker offers the option to lock the normal startup p Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled. -There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker. +There are two additional tools in the Remote Server Administration Tools which you can use to manage BitLocker. - **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator. - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the -BitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console. +BitLocker control panel, and they are appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console. ## New and changed functionality @@ -55,9 +55,9 @@ To find out what's new in BitLocker for Windows 10, such as support for the XTS BitLocker has the following hardware requirements: -For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive. +For BitLocker to use the system integrity check provided by a trusted platform module (TPM), the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. -A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. +A computer with a TPM must also have a trusted computing group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. @@ -65,37 +65,37 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://blogs.technet.microsoft.com/tip_of_the_day/2014/01/22/tip-of-the-day-bitlocker-without-tpm-or-usb/). > [!NOTE] -> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. +> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. -- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space. +- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space. -When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. +When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker. -When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. +When installing the BitLocker optional component on a server, you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives. ## In this section | Topic | Description | | - | - | -| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. | -| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| -| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | -| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | -| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic for the IT professional explains how to deploy BitLocker on Windows Server.| -| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. | -| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic for the IT professional describes how to use tools to manage BitLocker.| -| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. | -| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker. | -| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.| -| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. | -| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | +| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. | +| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. | +| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.| +| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic describes how BitLocker Network Unlock works and how to configure it. | +| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic describes how to use tools to manage BitLocker.| +| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic describes how to use the BitLocker Recovery Password Viewer. | +| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | +| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.| +| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. | +| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | -| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| -| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core | +| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| +| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic describes how to use BitLocker with Windows 10 IoT Core | From 7c25707f554008254f6112943a29a73f28867abc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 9 Sep 2020 20:03:59 +0530 Subject: [PATCH 002/106] Update-bl-rcvgdplan-4318240 --- .../bitlocker-recovery-guide-plan.md | 92 ++++++++++--------- 1 file changed, 48 insertions(+), 44 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 943135fa94..864f32d49a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -23,9 +23,9 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for IT professionals describes how to recover BitLocker keys from AD DS. +This topic describes how to recover BitLocker keys from AD DS. -Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. +Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It is recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. @@ -35,15 +35,15 @@ This article does not detail how to configure AD DS to store the BitLocker reco BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive: -- The user can supply the recovery password. If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain). -- A data recovery agent can use their credentials to unlock the drive. If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. -- A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method requires that you have enabled this recovery method in the BitLocker Group Policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). +- **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain). +- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it. +- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). ### What causes BitLocker recovery? The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device immediately reboots and enters into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** group policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)) to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -60,22 +60,23 @@ The following list provides examples of specific events that will cause BitLocke - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer. - Changes to the master boot record on the disk. - Changes to the boot manager on the disk. -- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. -- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. -- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. +- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option makes the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. +- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This prevents the entry of enhanced PINs. +- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** results in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. > [!NOTE] - > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different. + > Some computers have BIOS settings that skip measurements to certain PCRs such as **PCR\[2\]**. Changing this setting in the BIOS causes BitLocker to enter recovery mode because the PCR measurement will be different. - Moving the BitLocker-protected drive into a new computer. - Upgrading the motherboard to a new one with a new TPM. - Losing the USB flash drive containing the startup key when startup key authentication has been enabled. - Failing the TPM self-test. -- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. +- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group (TCG) standards for a client computer. For example, a non-compliant implementation records volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode. - Changing the usage authorization for the storage root key of the TPM to a non-zero value. > [!NOTE] > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value. + **Question: Does it imply that another user or process should change this to a non-zero value?** - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr). - Pressing the F8 or F10 key during the boot process. @@ -83,16 +84,17 @@ The following list provides examples of specific events that will cause BitLocke - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive. > [!NOTE] -> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components. +> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components. -For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. +For planned scenarios, such as a known hardware or firmware upgrade, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key. > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. +**Question: The above sentence looks incomplete. Can more inputs be provided? Or does "if" need to be removed?** -If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. +If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. -Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. +Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery mode before the computer is given to a new user. ## Testing recovery @@ -101,14 +103,14 @@ Before you create a thorough BitLocker recovery process, we recommend that you t **To force a recovery for the local computer** 1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +2. At the command prompt, type the following command and then press **ENTER**: `manage-bde -forcerecovery ` **To force recovery for a remote computer** 1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +2. At the command prompt, type the following command and then press **ENTER**: `manage-bde. -ComputerName -forcerecovery ` > [!NOTE] @@ -136,20 +138,20 @@ When you determine your recovery process, you should: ### Self-recovery -In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. +In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. ### Recovery password retrieval -If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. +If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS, select the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] -> If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required. +> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required. The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory. @@ -167,37 +169,36 @@ You can use the name of the user's computer to locate the recovery password in A ### Verify the user's identity -You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. +You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user. ### Locate the recovery password in AD DS -Locate the Computer object with the matching name in AD DS. Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. +Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest. ### Multiple recovery passwords -If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created. +If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created. -If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console. +If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console. -Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume. +Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume. ### Gather information to determine why recovery occurred -Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more info about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). +Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery). ### Give the user the recovery password -Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. +Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. ### Post-recovery analysis -When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption -when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. +When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted. -If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See: +If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time the computer starts up. See: - [Determine the root cause of the recovery](#bkmk-determinecause) - [Refresh BitLocker protection](#bkmk-refreshprotection) @@ -210,20 +211,20 @@ While an administrator can remotely investigate the cause of recovery in some ca Review and answer the following questions for your organization: -1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? +1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? 3. If TPM mode was in effect, was recovery caused by a boot file change? -4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? +4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software? 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? -To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. +To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely. ### Resolve the root cause After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup. -The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. +The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately. > [!NOTE] > You can perform a BitLocker validation profile reset by suspending and resuming BitLocker. @@ -240,9 +241,10 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: 1. Right-click the drive and then click **Change PIN** - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. -3. You will use the new PIN the next time you unlock the drive. + 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then click **Finish**. +You will use the new PIN the next time you unlock the drive. +**Question: I am removing the bulleted number for the above phrase because it sounds more like a step result** ### Lost startup key @@ -250,26 +252,28 @@ If you have lost the USB flash drive that contains the startup key, then you mus **To prevent continued recovery due to a lost startup key** -1. Log on as an administrator to the computer that has the lost startup key. +1. Log on as an administrator to the computer that has its startup key lost. +**Question: Is the above rephrased version implying the intended meaning?** 2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. +3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then click **Save**. ### Changes to boot files -This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. +This error occurs if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +**Question: The marked instance of TPM above renders the sentence ambiguous. Need inputs on the same** ## BitLocker recovery screen -During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. +During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery. ### Custom recovery message -BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker group policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. From e9040e6411da18eaa5fcc7165ac40acbf5294974 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 12:20:40 +0530 Subject: [PATCH 003/106] Update bitlocker-recovery-guide-plan.md --- .../bitlocker-recovery-guide-plan.md | 43 ++++++++++--------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 864f32d49a..d6fe5d24d0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -273,7 +273,7 @@ During BitLocker recovery, Windows displays a custom recovery message and a few ### Custom recovery message -BitLocker group policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. +BitLocker group policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support. This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**. @@ -290,25 +290,25 @@ Example of customized recovery screen: ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen](./images/bl-password-hint2.png) > [!IMPORTANT] -> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account. +> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account. -There are rules governing which hint is shown during the recovery (in order of processing): +There are rules governing which hint is shown during the recovery (in the order of processing): 1. Always display custom recovery message if it has been configured (using GPO or MDM). 2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq." -3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key. +3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key. 4. Prioritize keys with successful backup over keys that have never been backed up. 5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. 6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints. -7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date. -8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed. -9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer. +7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date. +8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” is displayed. +9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. #### Example 1 (single recovery key with single backup) @@ -321,7 +321,8 @@ There are rules governing which hint is shown during the recovery (in order of p | Printed | No | | Saved to file | No | -**Result:** The hint for the Microsoft Account and custom URL are displayed. +**Result:** The hints for the Microsoft account and custom URL are displayed. + ![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) @@ -424,38 +425,38 @@ If the recovery methods discussed earlier in this document do not unlock the vol > [!NOTE] > You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. -The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). +The BitLocker key package is not saved, by default. To save the package along with the recovery password in AD DS, you must select the **Backup recovery password and key package** option in the group policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). ## Resetting recovery passwords -You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. +You must invalidate a recovery password after it has been provided and used, and when you intentionally want to invalidate an existing recovery password for any reason. You can reset the recovery password in two ways: -- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. +- **Use manage-bde**. You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. +- **Run a script**. You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. **To reset a recovery password using manage-bde** -1. Remove the previous recovery password +1. Remove the previous recovery password. ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` -2. Add the new recovery password +2. Add the new recovery password. ```powershell Manage-bde –protectors –add C: -RecoveryPassword ``` -3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. +3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS +4. Backup the new recovery password to AD DS. ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} @@ -466,6 +467,7 @@ You can reset the recovery password in two ways: **To run the sample recovery password script** 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. +**Question: The sample script seems missing**. 2. At the command prompt, type a command similar to the following: **cscript ResetPassword.vbs** @@ -474,7 +476,7 @@ You can reset the recovery password in two ways: > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset. > [!NOTE] -> To manage a remote computer, you can specify the remote computer name rather than the local computer name. +> To manage a remote computer, you must specify the remote computer name rather than the local computer name. You can use the following sample script to create a VBScript file to reset the recovery passwords. @@ -553,10 +555,11 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): -- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. +- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. -The following sample script exports all previously-saved key packages from AD DS. +The following sample script exports all previously saved key packages from AD DS. +**Question: Sample script seems missing** **To run the sample key package retrieval script** From 5c6b8264b0c5e4a14ec0bcb6594c1abd920e2f76 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 10 Sep 2020 12:23:40 +0530 Subject: [PATCH 004/106] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index d6fe5d24d0..b5795232b6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -360,7 +360,7 @@ There are rules governing which hint is shown during the recovery (in the order |----------------------|-----------------| | Saved to Microsoft Account | No | | Saved to Azure AD | No | -| Saved to Acive Directory | No | +| Saved to Active Directory | No | | Printed | No | | Saved to file | Yes | | Creation time | **1PM** | From 2b3d41e0c5945192efc7b208776f58307a6801d6 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 11 Sep 2020 19:10:56 +0530 Subject: [PATCH 005/106] Update prep-bl-policies-4457208 --- ...ion-for-bitlocker-planning-and-policies.md | 76 ++++++++++--------- 1 file changed, 39 insertions(+), 37 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index baa25d7cf6..d42faca138 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -24,9 +24,9 @@ ms.custom: bitlocker - Windows 10 -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic explains how to plan your BitLocker deployment. -When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. +When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. ## Audit your environment @@ -36,7 +36,7 @@ Use the following questions to help you document your organization's current dis 1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker? 2. What policies exist to control recovery password and recovery key storage? -3. What are the policies for validating the identity of users that need to perform BitLocker recovery? +3. What are the policies for validating the identity of users who need to perform BitLocker recovery? 4. What policies exist to control who in the organization has access to recovery data? 5. What policies exist to control computer decommissioning or retirement? @@ -51,17 +51,18 @@ The trusted platform module (TPM) is a hardware component installed in many newe In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented. -On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. +On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors | Key protector | Description | | - | - | -| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.| +| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| | Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| -| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| +**Question:Is the conjunction with a TPM on TPM-enabled computers? The flow of the sentence requires the mention of the computer type** +| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.| | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| ### BitLocker authentication methods @@ -69,24 +70,25 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi | Authentication method | Requires user interaction | Description | | - | - | - | | TPM only| No| TPM validates early boot components.| -| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| +| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| | TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. | | TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| | Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.| -**Will you support computers without TPM version 1.2 or higher?** +**Will you support computers without TPM 1.2 or higher versions?** -Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication. +Determine whether you will support computers that do not have a TPM 1.2 or higher versions in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication. **What areas of your organization need a baseline level of data protection?** -The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. +The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. +**Question: Does reboot unattended imply reboot automatically?** However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. **What areas of your organization need a more secure level of data protection?** -If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. +If there are areas of your organization in which user systems with highly sensitive data are found, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock feature to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key. **What multifactor authentication method does your organization prefer?** @@ -94,23 +96,23 @@ The protection differences provided by multifactor authentication methods cannot ## TPM hardware configurations -In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. +In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment. ### TPM 1.2 states and initialization -For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM. +For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM that is then brought to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM. ### Endorsement keys -For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup. +For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker forces the TPM to generate one automatically as part of BitLocker setup. -An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken. +An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken. For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (). ## Non-TPM hardware configurations -Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key. +Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker-protected using a startup password, and PCs without a TPM can use a startup key. Use the following questions to identify issues that might affect your deployment in a non-TPM configuration: @@ -118,16 +120,16 @@ Use the following questions to identify issues that might affect your deployment - Do you have budget for USB flash drives for each of these computers? - Do your existing non-TPM devices support USB devices at boot time? -Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. +Test your individual hardware platforms with the **BitLocker system check** option while you are enabling BitLocker. The system check ensures that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material. ## Disk configuration considerations To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: -- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system -- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size +- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system. +- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. -Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption. +Windows setup automatically configures the disk drives of your computer to support BitLocker encryption. Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a volume that is not protected by BitLocker. @@ -135,29 +137,29 @@ Windows RE can also be used from boot media other than the local hard disk. If y ## BitLocker provisioning -In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM. +In Windows Vista and Windows 7, BitLocker was provisioned post-installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires the computer to have a TPM. -To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, manage-bde tool or WMI APIs to add an appropriate key protector and the volume status will be updated. +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the it before the drive is considered fully protected. Administrators can use the Control Panel options, manage-bde tool or WMI APIs to add an appropriate key protector, and the volume status will be updated. -When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented prior to changing the volume status. +When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then, the drive security window is presented prior to changing the volume status. -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process (**Question: Is the change made to this sentence complying the intended meaning?**. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes. ## Used Disk Space Only encryption -The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption. +The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption. Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you are asked to choose the drive encryption type, either Used Disk Space Only or Full drive encryption. -Used Disk Space Only means that only the portion of the drive that contains data will be encrypted, unused space will remain unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method as data is added to the drive the portion of the drive used will be encrypted, so there is never unencrypted data stored on the drive. +Used Disk Space Only means that only the portion of the drive that contains data is encrypted, and that the unused space remains unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method on data being added to the drive, the portion of the drive used is encrypted; thus, there is never unencrypted data stored on the drive. -Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use. +Full drive encryption means that the entire drive is encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and that may contain data remnants from their previous use. ## Active Directory Domain Services considerations -BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information: +BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered. +Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/). @@ -169,28 +171,28 @@ The following recovery data is saved for each computer object: - **Key package data** - With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID. + With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID. ## FIPS support for recovery password protector -Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode. +Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLocker to be fully functional in FIPS mode. > [!NOTE] -> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. +> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249). But on computers running these supported systems with BitLocker enabled: -- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. +- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. -- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. +- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords (**Question: Is this edited sentence conveying the intended meaning?**. +- When FIPS-compliant recovery passwords unlock volumes, the volume is allowed read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. -The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not. +The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not. -However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; so recovery keys should be used instead. +However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; therefore, recovery keys should be used, instead. ## More information From 9f8bee674ba7a9785d7840b5f92aa9a1884b124b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 11 Sep 2020 19:17:31 +0530 Subject: [PATCH 006/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index d42faca138..f523d4f8af 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -127,7 +127,7 @@ Test your individual hardware platforms with the **BitLocker system check** opti To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements: - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system. -- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. +- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size. Windows setup automatically configures the disk drives of your computer to support BitLocker encryption. From 31c849116414ce3f6ddeb27224078d1998bd9dda Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 23 Sep 2020 19:10:34 +0530 Subject: [PATCH 007/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 79 +++++++++---------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ac7c00f8b6..2dc14bd0e6 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -23,30 +23,29 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic for IT pros describes how to protect CSVs and SANs with BitLocker. +This topic describes the procedure to protect CSVs and SANs by using BitLocker. -BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes -### Using BitLocker with Clustered Volumes +### Using BitLocker with clustered volumes -BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). +Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on -BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster **Question: Can it be rephrased as the volume can be one that is shared within the cluster?**. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. ->**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption. +>**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes **Question: Can "on these types of volumes" be removed?**. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: 1. Clear key 2. Driver-based auto-unlock key @@ -57,14 +56,14 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote 4. Registry-based auto-unlock key ->**Note:**  A Windows Server 2012 or later domain controller is required for this feature to work properly. +>**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: +BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation **Question: Can it be rephrased as "the disk resource need not be suspended for the volume encryption to be completed?**. To turn on BitLocker for a disk before adding it to a cluster, do the following: 1. Install the BitLocker Drive Encryption feature if it is not already installed. -2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. +2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. ```powershell @@ -77,16 +76,16 @@ BitLocker encryption is available for disks before or after addition to a cluste Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. 5. Repeat the preceding steps for each disk in the cluster. 6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: -1. Install the BitLocker Drive Encryption feature if it is not already installed. +1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. ```powershell @@ -110,9 +109,9 @@ When the cluster service owns a disk resource already, it needs to be set into m ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. -6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode: +6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode: ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource @@ -120,44 +119,44 @@ When the cluster service owns a disk resource already, it needs to be set into m 7. Repeat the preceding steps for each disk in the cluster. -### Adding BitLocker encrypted volumes to a cluster using manage-bde +### Adding BitLocker-encrypted volumes to a cluster using manage-bde -You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following: +You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster include the following: -1. Verify the BitLocker Drive Encryption feature is installed on the computer. +1. Verify that the BitLocker drive encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. -3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example): +3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example): - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` - 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption will continue. + 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. -4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered +4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - - Once the disk is clustered it can also be enabled for CSV. + - Once the disk is clustered, it is enabled for CSV. -5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted. +5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If this operation fails, an event is logged that the volume could not be unlocked and the online operation has failed. -6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". -CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. +6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators must utilize the **manage-bde -status** command with a path to the volume inside the CSV namespace as seen in the example command line below. ```powershell manage-bde -status "C:\ClusterStorage\volume1" ``` -### Physical Disk Resources +### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. ### Restrictions on BitLocker actions with cluster volumes -The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation. +The following table contains information about both physical disk resources (i.e. traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. @@ -262,17 +261,17 @@ The following table contains information about both Physical Disk Resources (i.e
->Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node +>Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. -In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process. +In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion is not complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume. -- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. -- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode. -- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) will automatically resume conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver will automatically resume conversion when the volume is online to the cluster. -- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) will automatically resume conversion when moving the volume back from maintenance. -- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver will automatically resume conversion when the volume is moved back from maintenance mode. +- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume **Question: Can it be rephrased as "BitLocker volumes have to be initialized and have encryptions commenced on it?**. +- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. +- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. +- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. +- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. +- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. +- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. From 5e544be8a97edcdf6bbc23c0d198a06cb809508c Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Mon, 5 Oct 2020 17:41:54 +0530 Subject: [PATCH 008/106] Reviewed protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md (#3918) --- ...nd-storage-area-networks-with-bitlocker.md | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 2dc14bd0e6..acb4171785 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -23,7 +23,7 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic describes the procedure to protect CSVs and SANs by using BitLocker. +This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. @@ -31,36 +31,34 @@ BitLocker protects both physical disk resources and cluster shared volumes versi ### Using BitLocker with clustered volumes -Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS). +Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN or network attached storage (NAS). >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster **Question: Can it be rephrased as the volume can be one that is shared within the cluster?**. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. +Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes **Question: Can "on these types of volumes" be removed?**. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. This is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker unlocks protected volumes without user intervention by attempting protectors in the following order: 1. Clear key 2. Driver-based auto-unlock key -3. ADAccountOrGroup protector - - 1. Service context protector - 2. User protector - +3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector 4. Registry-based auto-unlock key >**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation **Question: Can it be rephrased as "the disk resource need not be suspended for the volume encryption to be completed?**. To turn on BitLocker for a disk before adding it to a cluster, do the following: +BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require to suspend the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. @@ -69,21 +67,19 @@ BitLocker encryption is available for disks before or after addition to a cluste ```powershell Get-Cluster ``` - 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` - - >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. + >**Warning:**  You must configure a **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume either to be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster. 5. Repeat the preceding steps for each disk in the cluster. 6. Add the volume(s) to the cluster. ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn the Bitlocker on for a clustered disk using Windows PowerShell, do the following: 1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. @@ -91,19 +87,16 @@ When the cluster service owns a disk resource already, the disk resource needs t ```powershell Get-ClusterResource "Cluster Disk 1" ``` - 3. Put the physical disk resource into maintenance mode using Windows PowerShell. ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` - 4. Identify the name of the cluster with Windows PowerShell. ```powershell Get-Cluster ``` - 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: ```powershell @@ -116,7 +109,6 @@ When the cluster service owns a disk resource already, the disk resource needs t ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` - 7. Repeat the preceding steps for each disk in the cluster. ### Adding BitLocker-encrypted volumes to a cluster using manage-bde @@ -268,7 +260,7 @@ In the case where a physical disk resource experiences a failover event during c ### Other considerations when using BitLocker on CSV2.0 Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume **Question: Can it be rephrased as "BitLocker volumes have to be initialized and have encryptions commenced on it?**. +- BitLocker volumes have to be initialized and begin encryption before they are available to add to a CSV2.0 volume . - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. - If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. - If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. From a2f677246e1803579bc003986e59b380c806334f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 6 Oct 2020 10:51:14 +0530 Subject: [PATCH 009/106] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 8dff04be1f..458f0a20c2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -29,7 +29,7 @@ This topic provides a high-level overview of BitLocker, including a list of syst BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -BitLocker provides the maximum protection when used with a trusted platform module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. +BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. @@ -55,9 +55,9 @@ To find out what's new in BitLocker for Windows 10, such as support for the XTS BitLocker has the following hardware requirements: -For BitLocker to use the system integrity check provided by a trusted platform module (TPM), the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. +For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive. -A computer with a TPM must also have a trusted computing group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. +A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware. The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. From 00bb28ce0573afef9496ea6c6e7776ce4794de01 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 9 Oct 2020 18:04:42 +0530 Subject: [PATCH 010/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...pare-your-organization-for-bitlocker-planning-and-policies.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index f523d4f8af..180cf50eeb 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -54,7 +54,6 @@ In addition, BitLocker offers the option to lock the normal startup process unti On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors - | Key protector | Description | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| From ca6095f38e463d44bc5c07ecaf5e279ae4f32e94 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 9 Oct 2020 18:19:16 +0530 Subject: [PATCH 011/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...pare-your-organization-for-bitlocker-planning-and-policies.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 180cf50eeb..f523d4f8af 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -54,6 +54,7 @@ In addition, BitLocker offers the option to lock the normal startup process unti On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors + | Key protector | Description | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| From 74ad1a5f45a5990fc03a657f8686111ebc28ce76 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 12 Oct 2020 14:08:03 +0530 Subject: [PATCH 012/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index f523d4f8af..55ea45f733 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -55,7 +55,7 @@ On computers that do not have TPM 1.2 or higher versions, you can still use BitL ### BitLocker key protectors -| Key protector | Description | +|**Key protector** | **Description** | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| From b517200777225f3183aea2fa84eaad31bfd957df Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 12 Oct 2020 14:22:16 +0530 Subject: [PATCH 013/106] Update prepare-your-organization Corrected the suggestion for PR3770 --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index f523d4f8af..fc7c0430c3 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -54,14 +54,12 @@ In addition, BitLocker offers the option to lock the normal startup process unti On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM. ### BitLocker key protectors - | Key protector | Description | | - | - | | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.| | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| | Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| -**Question:Is the conjunction with a TPM on TPM-enabled computers? The flow of the sentence requires the mention of the computer type** | Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.| | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| From 8d2ea4dd09ce8dab7ba60c776fc9d0d3a4e94113 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 22 Oct 2020 13:03:16 +0530 Subject: [PATCH 014/106] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index db893c2f8b..4f1c187a4c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -92,7 +92,6 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. -**Question: The above sentence looks incomplete. Can more inputs be provided? Or does "if" need to be removed?** If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker network unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. From 0c00e7a77e799755f664d7ad3b440faede956526 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 22 Oct 2020 15:33:06 +0530 Subject: [PATCH 015/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...-your-organization-for-bitlocker-planning-and-policies.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index fc7c0430c3..02a573b441 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -80,7 +80,6 @@ Determine whether you will support computers that do not have a TPM 1.2 or highe **What areas of your organization need a baseline level of data protection?** The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended. -**Question: Does reboot unattended imply reboot automatically?** However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection. @@ -141,7 +140,7 @@ To check the BitLocker status of a particular volume, administrators can look at When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then, the drive security window is presented prior to changing the volume status. -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process (**Question: Is the change made to this sentence complying the intended meaning?**. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes. ## Used Disk Space Only encryption @@ -184,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords (**Question: Is this edited sentence conveying the intended meaning?**. +- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is allowed read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From 7bced2ce10c3a170e5e17cdc29eec29491494ad1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 11:54:40 +0530 Subject: [PATCH 016/106] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From c59c9d15aa893e4d8fa44b3d88ad675b1ee60086 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:39:36 +0530 Subject: [PATCH 017/106] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 23047bf7f1..fcf11cf7d8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -||||| -|--- |--- |--- |--- | |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| +|--- |--- |--- |--- | |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| From f3accee9338e79a8c005145929334436cf389a7d Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 4 Mar 2021 12:44:29 +0530 Subject: [PATCH 018/106] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index ce14a9e593..dc77051862 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -279,7 +279,7 @@ Windows Recovery Environment (RE) can be used to recover access to a drive prote This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time. -## Windows RE and BitLocker Device Encryption +## Windows RE and its usage in BitLocker Device Encryption Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. From 3b62934480fff611abf5d9867a5ec8f8ea325a3a Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:17:28 +0530 Subject: [PATCH 019/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...lumes-and-storage-area-networks-with-bitlocker.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 983ef48df9..32acbff95e 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators are adding an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. By adding this extra layer of protection to the clustered volume, administrators are increasing the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes @@ -41,7 +41,7 @@ Windows PowerShell or the manage-bde command-line interface is the preferred met >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. This is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.. +For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -79,7 +79,7 @@ BitLocker encryption is available for disks before or after addition to a cluste ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn the Bitlocker on for a clustered disk using Windows PowerShell, do the following: +When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: 1. Install the BitLocker drive encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. @@ -113,7 +113,7 @@ When the cluster service owns a disk resource already, the disk resource needs t ### Adding BitLocker-encrypted volumes to a cluster using manage-bde -You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster include the following: +You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are: 1. Verify that the BitLocker drive encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. @@ -149,11 +149,11 @@ manage-bde -status "C:\ClusterStorage\volume1" ### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. ### Restrictions on BitLocker actions with cluster volumes -The following table contains information about both physical disk resources (i.e. traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. +The following table contains information about both physical disk resources (that is, traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. From c8550e5e36f3f62abd8145f3cf6313bc0df9fe4c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:23:00 +0530 Subject: [PATCH 020/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 32acbff95e..d3ea4a6ba2 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. By adding this extra layer of protection to the clustered volume, administrators are increasing the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes From 21b1e166d0f32dd558e92f8ac6ed74987fa5c2b5 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 5 Mar 2021 15:28:11 +0530 Subject: [PATCH 021/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index d3ea4a6ba2..ae0507a14d 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. -BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. +BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. ## Configuring BitLocker on Cluster Shared Volumes From 8623f6afa0c04db9fff8840210a7d974085bcfbb Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 12:49:50 +0530 Subject: [PATCH 022/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...hared-volumes-and-storage-area-networks-with-bitlocker.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ae0507a14d..dd8155bcdd 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -35,7 +35,10 @@ Volumes within a cluster are managed with the help of BitLocker based on how the >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume must turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations are completed. +Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: + +- It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool +- It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. From b78d49c9fed05efd47fd3d0069898dd7e2a74581 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 13:00:04 +0530 Subject: [PATCH 023/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index dd8155bcdd..7d35481c85 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -48,14 +48,17 @@ For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLo ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place: -1. Clear key -2. Driver-based auto-unlock key -3. **ADAccountOrGroup** protector - a. Service context protector - b. User protector -4. Registry-based auto-unlock key +- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. +- BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: + + 1. Clear key + 2. Driver-based auto-unlock key + 3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector + 4. Registry-based auto-unlock key >**Note:**  A Windows Server 2012 or later version's domain controller is required for this feature to work properly. @@ -125,7 +128,8 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. - 2. Using the -sync parameter is optional. Using it ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: + - The -sync parameter ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. From 3c350893b42d6bbc99511682d7345e6eaec6ab36 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 13:10:29 +0530 Subject: [PATCH 024/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...volumes-and-storage-area-networks-with-bitlocker.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 7d35481c85..16782434b3 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -129,7 +129,7 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues. 2. Using the -sync parameter is optional. However, using -sync parameter has the following advantage: - - The -sync parameter ensures the command waits until the encryption for the volume is completed before releasing the volume for use in the cluster storage pool. + - The -sync parameter ensures the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool. 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. @@ -143,10 +143,14 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If this operation fails, an event is logged that the volume could not be unlocked and the online operation has failed. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by Bitlocker fail, an event is logged. The logged event will state that the volume could not be unlocked and the online operation has failed. 6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". -CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators must utilize the **manage-bde -status** command with a path to the volume inside the CSV namespace as seen in the example command line below. +CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: + +- Utilize the **manage-bde -status** command with a path to the volume. + + The path must be one that is inside the CSV namespace as seen in the example command line below. ```powershell From 8180887bf8fecc42effd88bc3d24e5b099fab5ee Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 14:41:52 +0530 Subject: [PATCH 025/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...lumes-and-storage-area-networks-with-bitlocker.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 16782434b3..06c283bba1 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -35,16 +35,16 @@ Volumes within a cluster are managed with the help of BitLocker based on how the >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx). -Alternatively, the volume can be a cluster shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: +Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: - It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. +Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. >**Note:**  Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +In the case of thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -64,7 +64,11 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: +BitLocker encryption is available for disks before these disks are added to a cluster storage pool. +> [!NOTE] +> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. +The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. +To turn on BitLocker for a disk before adding it to a cluster: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. From d521d9e93347e998f52c548de9c527571ab58896 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Sun, 7 Mar 2021 14:53:10 +0530 Subject: [PATCH 026/106] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index fcf11cf7d8..c0a736e299 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -55,9 +55,11 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as: +- verification of the integrity of the system before it is booted +- multifactor authentication.| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | -|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| +|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. From 9d80f4d9e23db9f1f12cff95a4890001a6141999 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 9 Mar 2021 11:29:12 +0530 Subject: [PATCH 027/106] Update bitlocker-basic-deployment.md --- .../bitlocker/bitlocker-basic-deployment.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 2146b82940..05e8f44ec6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -55,9 +55,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as: -- verification of the integrity of the system before it is booted -- multifactor authentication.| +|Hardware TPM|TPM version 1.2 or 2.0.

    A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as (a) verification of the integrity of the system prior to its booting, and (b) multifactor authentication.| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| From 6f2fa0d82e9fe78cc6540a00d50d3255e8a9948c Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 13 Sep 2022 15:31:12 +0530 Subject: [PATCH 028/106] fixed the warnings --- .../bitlocker/bitlocker-basic-deployment.md | 2 +- .../bitlocker-device-encryption-overview-windows-10.md | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 05e8f44ec6..06f1349062 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -111,7 +111,7 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7| -|--- |--- |--- |--- | +|---|---|---|---| |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted| |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted| |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index af220e5c22..03b03a3499 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -19,8 +19,7 @@ ms.custom: bitlocker # Overview of BitLocker Device Encryption in Windows 10 -**Applies to** -- Windows 10 +**Applies to:** Windows 10 This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). From 60b0b59b3e73bb71f030c264caa7d12febc95af6 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 14 Sep 2022 10:40:15 +0530 Subject: [PATCH 029/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index d3b6788152..53e04dc61e 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -31,9 +31,9 @@ Volumes within a cluster are managed with the help of BitLocker based on how the > [!IMPORTANT] > SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/). -Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following: +Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: -- It must turn on BitLocker - Only after this done, the volumes can be added into the storage pool +- It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. @@ -41,7 +41,7 @@ Windows PowerShell or the manage-bde command-line interface is the preferred met > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. -In the case of thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector @@ -68,7 +68,7 @@ BitLocker encryption is available for disks before these disks are added to a cl The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: -1. Install the BitLocker Drive Encryption feature if it is not already installed. +1. Install the BitLocker Drive Encryption feature if it isn't already installed. 2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. @@ -91,7 +91,7 @@ To turn on BitLocker for a disk before adding it to a cluster: When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps: -1. Install the BitLocker drive encryption feature if it is not already installed. +1. Install the BitLocker drive encryption feature if it isn't already installed. 2. Check the status of the cluster disk using Windows PowerShell. ```powershell @@ -140,16 +140,16 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered. - - Once the disk is clustered, it is enabled for CSV. + - Once the disk is clustered, it's enabled for CSV. 5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted. - 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. + 1. If the volume isn't BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by Bitlocker fail, an event is logged. The logged event will state that the volume could not be unlocked and the online operation has failed. + - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed. 6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**". CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task: @@ -166,7 +166,7 @@ manage-bde -status "C:\ClusterStorage\volume1" ### Physical disk resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you can't unlock or decrypt a physical disk resource if you aren't administering the cluster node that owns the disk resource because the disk resource isn't available. ### Restrictions on BitLocker actions with cluster volumes @@ -277,12 +277,12 @@ The following table contains information about both physical disk resources (tha >Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. -In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion is not complete and completes the conversion process. +In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. ### Other considerations when using BitLocker on CSV2.0 -Some other considerations to take into account for BitLocker on clustered storage include the following: -- BitLocker volumes have to be initialized and begin encryption before they are available to add to a CSV2.0 volume . +Some other considerations to take into account for BitLocker on clustered storage include: +- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume. - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. - If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode. - If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster. From e328ccf8e88aa6bbb11816129b356a30c1b0c038 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:34:05 +0530 Subject: [PATCH 030/106] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 2bf30cdb62..2f1f5cd271 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: @@ -85,7 +85,7 @@ When installing the BitLocker optional component on a server, you will also need | Topic | Description | | - | - | | [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. | -| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| +| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. | | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. | | [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.| From 6c54f005ef924b0f10db3da84f22d56cb4b4cdd4 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:37:06 +0530 Subject: [PATCH 031/106] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 2f1f5cd271..33bea27ecf 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: From 278d1e873b59042228d444c68703e4716737bb85 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:50:15 +0530 Subject: [PATCH 032/106] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 33bea27ecf..2f1f5cd271 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: From 72fce29ef366ac20a167e2698ec931be9f6dcc04 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 11:56:33 +0530 Subject: [PATCH 033/106] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 2f1f5cd271..029ec810fd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -66,7 +66,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature. -> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](../../../deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. +> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt.md) before changing the BIOS mode, which prepares the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: From 96a6ee7cf1bc6c01ed845f074e1aef3db4f2e5c8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 12:45:05 +0530 Subject: [PATCH 034/106] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 029ec810fd..9a6ffdc982 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -95,7 +95,7 @@ When installing the BitLocker optional component on a server, you will also need | [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. | | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.| | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. | -| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | +| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| | [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic describes how to use BitLocker with Windows 10 IoT Core | From 5e157e3a92a65c9849ef8d4abebd88348028dfa2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 12:50:19 +0530 Subject: [PATCH 035/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...nd-storage-area-networks-with-bitlocker.md | 121 +++--------------- 1 file changed, 17 insertions(+), 104 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 53e04dc61e..afa604d207 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -172,110 +172,23 @@ Unlike CSV2.0 volumes, physical disk resources can only be accessed by one clust The following table contains information about both physical disk resources (that is, traditional failover cluster volumes) and cluster shared volumes (CSV) and the actions that are allowed by BitLocker in each situation. -
    ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Action

    On owner node of failover volume

    On Metadata Server (MDS) of CSV

    On (Data Server) DS of CSV

    Maintenance Mode

    Manage-bde –on

    Blocked

    Blocked

    Blocked

    Allowed

    Manage-bde –off

    Blocked

    Blocked

    Blocked

    Allowed

    Manage-bde Pause/Resume

    Blocked

    Blocked

    Blocked

    Allowed

    Manage-bde –lock

    Blocked

    Blocked

    Blocked

    Allowed

    manage-bde –wipe

    Blocked

    Blocked

    Blocked

    Allowed

    Unlock

    Automatic via cluster service

    Automatic via cluster service

    Automatic via cluster service

    Allowed

    manage-bde –protector –add

    Allowed

    Allowed

    Blocked

    Allowed

    manage-bde -protector -delete

    Allowed

    Allowed

    Blocked

    Allowed

    manage-bde –autounlock

    Allowed (not recommended)

    Allowed (not recommended)

    Blocked

    Allowed (not recommended)

    Manage-bde -upgrade

    Allowed

    Allowed

    Blocked

    Allowed

    Shrink

    Allowed

    Allowed

    Blocked

    Allowed

    Extend

    Allowed

    Allowed

    Blocked

    Allowed

    - ->Note:** Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. +| Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode | +|--- |--- |--- |--- |--- | +|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed| +|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed| +|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed| +|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed| +|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed| +|**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed| +|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed| +|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed| +|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)| +|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed| +|**Shrink**|Allowed|Allowed|Blocked|Allowed| +|**Extend**|Allowed|Allowed|Blocked|Allowed| + +> [!NOTE] +> Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node. In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process. From a1df887f6671944604df056b6dfebe5b43f1bc60 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 12:58:01 +0530 Subject: [PATCH 036/106] resolved comments --- .../bitlocker-device-encryption-overview-windows-10.md | 2 +- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index e0d12cc32a..20fe2b176d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -19,7 +19,7 @@ ms.custom: bitlocker **Applies to** - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index ff944581f9..1b77d14e1c 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -155,7 +155,7 @@ With Full drive encryption, the entire drive is encrypted, whether data is store BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information: -Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. +Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information). From 4d71847064fb5c6efa08877119f5bccc36a2e0ee Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 13:50:06 +0530 Subject: [PATCH 037/106] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 334dcb3e62..e1d313bfbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -22,8 +22,8 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. -For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. +For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. From 87448d4ead7a9a986c69db8b2ae433fd074e1727 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 14:36:33 +0530 Subject: [PATCH 038/106] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 54df9c5536..76cd8bab26 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -102,14 +102,14 @@ Before you create a thorough BitLocker recovery process, we recommend that you t **To force a recovery for the local computer:** -1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. +1. Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**. 2. At the command prompt, type the following command and then press **ENTER**: `manage-bde -forcerecovery ` **To force recovery for a remote computer:** -1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. +1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**. 2. At the command prompt, type the following command and then press **ENTER**: @@ -150,7 +150,7 @@ If the user does not have a recovery password in a printout or on a USB flash dr - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** - **Choose how BitLocker-protected removable drives can be recovered** -In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Select the **Do not enable BitLocker until recovery information is stored in AD +In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds. > [!NOTE] @@ -250,9 +250,9 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: - 1. Right-click the drive and then click **Change PIN** - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then click **Finish**. + 1. Select and hold the drive and then select **Change PIN** + 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**. 3. You will use the new PIN the next time you unlock the drive. ### Lost startup key @@ -263,7 +263,7 @@ If you have lost the USB flash drive that contains the startup key, then you mus 1. Log on as an administrator to the computer that has its startup key lost. 2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then click **Save**. +3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then select **Save**. ### Changes to boot files From 0264341de4b11b7d492b3d811fab1467d2fe43d0 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 16 Sep 2022 14:52:27 +0530 Subject: [PATCH 039/106] Update bitlocker-overview.md --- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 9a6ffdc982..35d12539cf 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -98,7 +98,7 @@ When installing the BitLocker optional component on a server, you will also need | [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.| -| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic describes how to use BitLocker with Windows 10 IoT Core | +| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic describes how to use BitLocker with Windows IoT Core | From e2e3e10af45e911f0ef1c473d3dbb1c4b3766625 Mon Sep 17 00:00:00 2001 From: Thorsten Sauter Date: Sun, 25 Sep 2022 04:47:48 -0700 Subject: [PATCH 040/106] Fixed broken link in Hello Planning Guide This fixes the broken link in the WHFB Planning Guide. The link text is the title of the page being linked to. --- .../hello-for-business/hello-planning-guide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 32137c8e75..e48d058b7b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md. +> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment (Preview)](./hello-hybrid-cloud-kerberos-trust.md). The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -349,4 +349,4 @@ If boxes **2a** or **2b** read **modern management** and you want devices to aut ## Congratulations, You're Done -Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. \ No newline at end of file +Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. From 303822485ca562517d4b5acf9977e23dadc09f4f Mon Sep 17 00:00:00 2001 From: Florian Stosse Date: Fri, 30 Sep 2022 14:58:58 +0200 Subject: [PATCH 041/106] [WDAC] Ensure that destination folders are present If not, we create them. --- .../deployment/deploy-wdac-policies-with-script.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 28a74c5e9f..9d25e238cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -88,8 +88,9 @@ In addition to the steps outlined above, the binary policy file must also be cop $MountPoint = 'C:\EFIMount' $EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot\CiPolicies\Active" $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] + if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } mountvol $MountPoint $EFIPartition - mkdir $EFIDestinationFolder + if (-Not (Test-Path $EFIDestinationFolder)) { New-Item -Path $EFIDestinationFolder -Type Directory -Force } ``` 2. Copy the signed policy to the created folder: From 33a102ed43a60663b7502613d41dacb604730b54 Mon Sep 17 00:00:00 2001 From: Will Dormann Date: Fri, 30 Sep 2022 10:26:51 -0400 Subject: [PATCH 042/106] Clarify EFI partition instructions to indicate that they only apply to signed WDAC policies. --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 28a74c5e9f..997ee71da1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -80,7 +80,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p ## Deploying signed policies -In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. +If you are using [signed WDAC policies](windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: From 473dda6385f162cc977e5831789eb83bb3ffe88f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 15:11:40 +0530 Subject: [PATCH 043/106] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 7b225fb595..27891404e0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -24,7 +24,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and later -This topic describes how to recover BitLocker keys from AD DS. +This article describes how to recover BitLocker keys from AD DS. Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment. From f72780a0775f6008e8eaac6f42a95858f9f3c562 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 15:50:45 +0530 Subject: [PATCH 044/106] Update bitlocker-recovery-guide-plan.md --- .../bitlocker/bitlocker-recovery-guide-plan.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 27891404e0..34a2bde95f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -274,15 +274,6 @@ This error occurs if you updated the firmware. As a best practice, you should su Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. -### Changes to boot files - -This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time. - - -## Windows RE and its usage in BitLocker Device Encryption - -Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. - Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally. The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. From 5a69cd2eceecf00b57c6da3c690e988a328cec28 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:54:33 +0530 Subject: [PATCH 045/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 926c0e071b13ecee97ae14116a51347f7fba6c71 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:55:05 +0530 Subject: [PATCH 046/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 1cab382ffde0cd1c6f7a3f6ba9d99025252b5718 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:55:31 +0530 Subject: [PATCH 047/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From a684dbd5829aeb6042b75ca8c23c81cce112850f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:56:21 +0530 Subject: [PATCH 048/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 4cda103d80..ded42ee1ee 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how can you plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 30c45fba094b1c47ad39c149aee8021237df2d53 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 16:57:03 +0530 Subject: [PATCH 049/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 1b77d14e1c..8df6789baa 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic explains how to plan your BitLocker deployment. +This topic for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. From ed4741461d61a6285098c8393990edfb8b1847b2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 17:03:26 +0530 Subject: [PATCH 050/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 8df6789baa..9c7eba189e 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -25,7 +25,7 @@ ms.custom: bitlocker This topic for the IT professional explains how to plan BitLocker deployment. -When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems. +When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. ## Audit your environment From d330f0e687bf42a34d049e31dedb6ab8493eb8c2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 17:13:46 +0530 Subject: [PATCH 051/106] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 334dcb3e62..e1d313bfbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -22,8 +22,8 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. -For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. +For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. From 271bfaac7de979ed56b3a95d91721a6fa38f564f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 3 Oct 2022 17:16:10 +0530 Subject: [PATCH 052/106] Update bitlocker-device-encryption-overview-windows-10.md --- .../bitlocker-device-encryption-overview-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 20fe2b176d..79e687ca90 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -21,7 +21,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and later -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. From 3a36dbfe58f0bc8651bc123964aff4efd6bc6300 Mon Sep 17 00:00:00 2001 From: sbhagurkar <54380290+sbhagurkar@users.noreply.github.com> Date: Tue, 4 Oct 2022 11:57:54 -0700 Subject: [PATCH 053/106] Remove out of place 'the'. --- windows/client-management/mdm/personaldataencryption-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md index 598c8121ec..c7617394d0 100644 --- a/windows/client-management/mdm/personaldataencryption-csp.md +++ b/windows/client-management/mdm/personaldataencryption-csp.md @@ -31,7 +31,7 @@ The following shows the PersonalDataEncryption configuration service provider in - 0 is default (disabled) - 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). -The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for the PDE to be enabled. +The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled. **Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1. From a6fd367a609a3bdedd08b126971bceaabfe728cc Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 09:49:22 -0700 Subject: [PATCH 054/106] Add "Device Management" row to 1st table Add more spacing in Description column --- ...tial-services-and-connected-experiences.md | 59 +++++++++---------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index a4f4601c25..64119e56a4 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -7,7 +7,6 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.technology: privacy -ms.date: 11/24/2021 ms.collection: highpri --- @@ -16,7 +15,7 @@ ms.collection: highpri **Applies to** -- Windows 11 +- Windows 11, version 21H2 and later - Windows 10, version 1903 and later Windows includes features that connect to the internet to provide enhanced experiences and additional service-based capabilities. These features are called connected experiences. For example, Microsoft Defender Antivirus is a connected experience that delivers updated protection to keep the devices in your organization secure. @@ -36,37 +35,37 @@ Although enterprise admins can turn off most essential services, we recommend, w | **Essential service** | **Description** | | --- | --- | -|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.
    To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).| -|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
    If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
    To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).| -| Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
    To turn it off, see [Services Configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).| -| Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.
    To turn off licensing services, see [License Manager](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).| -| Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity.
    To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).| -| Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.
    To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).| -| Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality will not be available to Microsoft.
    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| -| Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.
    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| -| Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.
    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| - +|Authentication|The authentication service is required to enable sign in to work or school accounts. It validates a user’s identity and provides access to multiple apps and system components like OneDrive and activity history. Using a work or school account to sign in to Windows enables Microsoft to provide a consistent experience across your devices. If the authentication service is turned off, many apps and components may lose functionality and users may not be able to sign in.

    To turn it off, see [Microsoft Account](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#12-microsoft-account).| +|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA), are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates that are publicly known to be fraudulent. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.

    If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.

    To turn it off, see [Automatic Root Certificates Update](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update).| +| Services Configuration | Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.

    To turn it off, see [Services Configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration).| +| Licensing | Licensing services are used for the activation of Windows, and apps purchased from the Microsoft Store. If you disable the Windows License Manager Service or the Software Protection Platform Service, it may prevent activation of genuine Windows and store applications.

    To turn off licensing services, see [License Manager](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#9-license-manager) and [Software Protection Platform](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#19-software-protection-platform).| +| Networking | Networking in Windows provides connectivity to and from your devices to the local intranet and internet. If you turn off networking, Windows devices will lose network connectivity.

    To turn off Network Adapters, see [Disable-NetAdapter](/powershell/module/netadapter/disable-netadapter).| +| Device setup | The first time a user sets up a new device, the Windows out-of-box experience (OOBE) guides the user through the steps to accept the license agreement, connect to the internet, sign in to (or sign up for) a Microsoft account, and takes care of other important tasks. Most settings can also be changed after setup is completed.

    To customize the initial setup experience, see [Customize Setup](/windows-hardware/customize/desktop/customize-oobe).| +| Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| +| Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| +| Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm/) | ## Windows connected experiences | **Connected experience** | **Description** | | --- | --- | -|Activity History|Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user. Synchronization across devices only works when a user signs in with the same account.
    To turn it off, see [Activity History](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#1822-activity-history). | -|Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.
    To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). | -| Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.
    To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). | -| Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.
    If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.
    To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). | -| Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11.
    To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinput). | -| Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.
    To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). | -| Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.
    To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). | -| Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.
    To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). | -| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you cannot block a website or warn users they may be accessing a malicious site.
    To turn it off, see [Microsoft Defender SmartScreen](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). | -| OneDrive | OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.
    To turn off OneDrive, see [OneDrive](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#16-onedrive). | -| Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.
    To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). | -| Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.
    To turn it off, see [Speech recognition](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). | -| Windows backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.
    To turn it off, see [Sync your settings](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). | +|Activity History|Activity History shows a history of activities a user has performed and can even synchronize activities across multiple devices for the same user. Synchronization across devices only works when a user signs in with the same account.

    To turn it off, see [Activity History](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#1822-activity-history). | +|Cloud Clipboard|Cloud Clipboard enables users to copy images and text across all Windows devices when they sign in with the same account. Users can paste from their clipboard history and also pin items.

    To turn it off, see [Cloud Clipboard](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#30-cloud-clipboard). | +| Date and Time | The Windows Time service is used to synchronize and maintain the most accurate date and time on your devices. It's installed by default and starts automatically on devices that are part of a domain. It can be started manually on other devices. If this service is stopped, date and time synchronization will be unavailable and any services that explicitly depend on it will fail to start.

    To turn it off, see [Date and Time](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#3-date--time). | +| Delivery Optimization | Delivery Optimization is a cloud-managed, peer-to-peer client and a downloader service for Windows updates, upgrades, and applications to an organization's networked devices. Delivery Optimization allows devices to download updates from alternate sources, such as other peers on the network, in addition to Microsoft servers. This helps when you have a limited or unreliable Internet connection and reduces the bandwidth needed to keep all your organization's devices up to date.

    If you have Delivery Optimization Peer-to-Peer option turned on, devices on your network may send and receive updates and apps to other devices on your local network, if you choose, or to devices on the Internet. By default, devices running Windows will only use Delivery Optimization to get and receive updates for devices and apps on your local network.

    To turn it off, see [Delivery Optimization](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#28-delivery-optimization). | +| Emojis and more | The Emoji and more menu allows users to insert a variety of content like emoji, kaomoji, GIFs, symbols, and clipboard history. This connected experience is new in Windows 11.

    To turn it off, see [Emojis availability](/windows/client-management/mdm/policy-csp-textinput). | +| Find My Device | Find My Device is a feature that can help users locate their Windows device if it's lost or stolen. This feature only works if a Microsoft account is used to sign in to the device, the user is an administrator on the device, and when location is turned on for the device. Users can find their device by logging in to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) under the Find My Device tab.

    To turn it off, see [Find My Device](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#5-find-my-device). | +| Location services | The device location setting enables certain Windows features such as auto setting the time zone or Find My Device to function properly. When the device location setting is enabled, the Microsoft location service will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and IP address to determine the device’s location. Depending on the capabilities of the device, its location can be determined with varying degrees of accuracy and may in some cases be determined precisely.

    To turn it off, see [Location services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location). | +| Microsoft Defender Antivirus | Microsoft Defender Antivirus provides cloud-delivered protection against new and emerging threats for the devices in your organization. Turning off Microsoft Defender Antivirus will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    To turn it off, see [Microsoft Defender Antivirus](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-defender). | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen is a feature of Windows, Internet Explorer, and Microsoft Edge. It helps protect users against phishing or malware websites and applications, and the downloading of potentially malicious files. Turning off Microsoft Defender SmartScreen means you can't block a website or warn users they may be accessing a malicious site.

    To turn it off, see [Microsoft Defender SmartScreen](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen). | +| OneDrive | OneDrive is a cloud storage system that allows you to save your files and photos, and access them from any device, anywhere.

    To turn off OneDrive, see [OneDrive](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#16-onedrive). | +| Troubleshooting Service | Windows troubleshooting service will automatically fix critical issues like corrupt settings that keep critical services from running. The service will also make adjustments to work with your hardware, or make other specific changes required for Windows to operate with the hardware, apps, and settings you’ve selected. In addition, it will recommend troubleshooting for other problems that aren’t critical to normal Windows operation but might impact your experience.

    To turn it off, see [Troubleshooting service](/windows/client-management/mdm/policy-csp-troubleshooting). | +| Voice Typing | Voice typing (also referred to as Windows dictation in earlier versions of Windows) allows users to write text by speaking by using Microsoft’s online speech recognition technology.

    To turn it off, see [Speech recognition](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech). | +| Windows backup | When settings synchronization is turned on, a user's settings are synced across all Windows devices when they sign in with the same account.

    To turn it off, see [Sync your settings](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-sync-your-settings). | | Windows Dashboard Widgets | Windows Dashboard widget is a dynamic view that shows users personalized content like news, weather, their calendar and to-do list, and recent photos. It provides a quick glance view, which allows users to be productive without needing to go to multiple apps or websites. This connected experience is new in Windows 11. | -| Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://insider.windows.com/).
    To turn it off, see [Windows Insider Program](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). | -| Windows Search | Windows Search lets users use the search box on the taskbar to find what they are looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.
    To turn it off, see [Windows Search](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). | -| Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.
    Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.
    To turn it off, see [Windows Spotlight](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight). | +| Windows Insider Program | The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to builds of Windows. Once you've registered for the program, you can run Insider Preview builds on as many devices as you want, each in the channel of your choice. Learn how to join the Windows Insider program by visiting the program’s [website](https://insider.windows.com/).

    To turn it off, see [Windows Insider Program](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#7-insider-preview-builds). | +| Windows Search | Windows Search lets users use the search box on the taskbar to find what they're looking for, whether it’s on their device, in the cloud, or on the web. Windows Search can provide results for items from the device (including apps, settings, and files), the users account (including OneDrive, SharePoint, and other Microsoft services), and the internet.

    To turn it off, see [Windows Search](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search). | +| Windows Spotlight | Windows Spotlight displays new background images on the lock screen each day. Additionally, it provides feature suggestions, fun facts, and tips on the lock screen background.

    Administrators can turn off Windows Spotlight features to prevent users from using the Windows Spotlight background.

    To turn it off, see [Windows Spotlight](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight). | ## Microsoft Edge essential services and connected experiences @@ -81,11 +80,11 @@ Internet Explorer shares many of the Windows essential services listed above. Th | **Connected experience** | **Description** | | --- | --- | -|ActiveX Filtering|ActiveX controls are small apps that allow websites to provide content such as videos and games, and let users interact with controls like toolbars and stock tickers. However, these apps can sometimes malfunction, and in some cases, they might be used to collect information from user devices, install software without a user's agreement, or be used to control a device remotely without a user's permission.
    ActiveX Filtering in Internet Explorer prevents sites from installing and using these apps which, can help keep users safer as they browse, but it can also affect the user experience of certain sites as interactive content might not work when ActiveX Filtering is on.
    Note: To further enhance security, Internet Explorer also allows you to block out-of-date ActiveX controls. | +|ActiveX Filtering|ActiveX controls are small apps that allow websites to provide content such as videos and games, and let users interact with controls like toolbars and stock tickers. However, these apps can sometimes malfunction, and in some cases, they might be used to collect information from user devices, install software without a user's agreement, or be used to control a device remotely without a user's permission.
    ActiveX Filtering in Internet Explorer prevents sites from installing and using these apps, which can help keep users safer as they browse, but it can also affect the user experience of certain sites as interactive content might not work when ActiveX Filtering is on.
    Note: To further enhance security, Internet Explorer also allows you to block out-of-date ActiveX controls. | |Suggested Sites|Suggested Sites is an online experience that recommends websites, images, or videos a user might be interested in. When Suggested Sites is turned on, a user’s web browsing history is periodically sent to Microsoft.| | Address Bar and Search suggestions | With search suggestions enabled, users will be offered suggested search terms as they type in the Address Bar. As users type information, it will be sent to the default search provider. | | Auto-complete feature for web addresses | The auto-complete feature suggests possible matches when users are typing web addresses in the browser address bar. | -| Compatibility logging | This feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It is disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed. | +| Compatibility logging | This feature is designed for use by developers and IT professionals to determine the compatibility of their websites with Internet Explorer. It's disabled by default and needs to be enabled to start logging Internet Explorer events in the Windows Event Viewer. These events describe failures that might have happened on the site and can include information about specific controls and webpages that failed. | | Compatibility View | Compatibility View helps make websites designed for older browsers look better when viewed in Internet Explorer. The compatibility view setting allows you to choose whether an employee can fix website display problems they encounter while browsing. | | Flip ahead | Flip ahead enables users to flip through web content quickly by swiping across the page or by clicking forward. When flip ahead is turned on, web browsing history is periodically sent to Microsoft. If you turn off this setting, users will no longer be able swipe across a screen or click forward to go to the next pre-loaded page of a website. | | Web Slices | A Web Slice enables users to subscribe to and automatically receive updates to content directly within a web page. Disabling the RSS Feeds setting will turn off background synchronization for feeds and Web Slices. | From a280e290b43ad1a86e62440a4a1d8ceab1edfde2 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 10:05:58 -0700 Subject: [PATCH 055/106] Update events section --- ...ndows-diagnostic-events-and-fields-1703.md | 159 ++++++++---------- 1 file changed, 67 insertions(+), 92 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 84a10ffdbb..f5dfb0b57d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -8,8 +8,6 @@ ms.author: danbrown manager: dougeby ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: ms.technology: privacy --- @@ -29,7 +27,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) @@ -1213,7 +1212,7 @@ The following fields are available: - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. - **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. - **RunResult** The hresult of the Appraiser diagnostic data run. - **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **StoreHandleIsNotNull** Obsolete, always set to false @@ -1284,10 +1283,10 @@ This event sends type and capacity data about the battery on the device, as well The following fields are available: - **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. - **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. - **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected. Boolean value. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. ### Census.Enterprise @@ -1299,19 +1298,19 @@ The following fields are available: - **AzureOSIDPresent** Represents the field used to identify an Azure machine. - **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. - **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. - **ContainerType** The type of container, such as process or virtual machine hosted. - **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (Azure AD) tenant? true/false +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false - **IsDERequirementMet** Represents if the device can do device encryption. - **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption - **IsDomainJoined** Indicates whether a machine is joined to a domain. - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier. ### Census.Firmware @@ -1432,7 +1431,7 @@ The following fields are available: - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. - **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. @@ -1486,7 +1485,7 @@ The following fields are available: - **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. - **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). - **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities. - **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. - **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. @@ -1579,9 +1578,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -1818,7 +1817,7 @@ The following fields are available: - **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp. - **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to. -- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc. +- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.. - **placementId** Name of surface, such as LockScreen or Start. @@ -1866,7 +1865,6 @@ The following fields are available: - **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats. - **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry). - **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations. -- **CanPerformScripting** True if UTC is allowed to perform scripting. - **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions. - **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events. - **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed. @@ -1882,10 +1880,9 @@ The following fields are available: - **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups. - **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism. - **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA. -- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. - **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry). - **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations. -- **CanPerformScripting** True if UTC is allowed to perform scripting. - **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions. - **CanReportScenarios** True if we can report scenario completions, false otherwise. - **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started. @@ -1902,10 +1899,9 @@ The following fields are available: - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **LastConntectivityLossTime** Retrieves the last time the device lost free network. - **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. ### TelClientSynthetic.HeartBeat_5 @@ -2129,12 +2125,12 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: - **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process ID used as a correlation vector for process instances in the telemetry backend. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. - **AppVersion** The version of the app that has hung. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. @@ -2149,7 +2145,7 @@ The following fields are available: - **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. - **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. - **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative applicationIDof the package. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. ## Inventory events @@ -2700,24 +2696,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -2840,8 +2818,8 @@ The following fields are available: - **BatteryCapacity** Maximum battery capacity in mWh - **BatteryCharge** Current battery charge as a percentage of total capacity - **BatteryDischarging** Flag indicating whether the battery is discharging or charging -- **BootId** Monotonically increasing boot ID, reset on upgrades. -- **BootTimeUTC** Boot time in UTC file time. +- **BootId** Monotonically increasing boot id, reset on upgrades. +- **BootTimeUTC** Boot time in UTC  file time. - **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot. - **LastStateTransition** The previous state transition on the device. - **LastStateTransitionSub** The previous state subtransition on the device. @@ -3135,7 +3113,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -3233,7 +3211,7 @@ The following fields are available: - **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. -- **ServiceHealthPlugin** The name of the Service Health plug-in. +- **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. - **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. @@ -3877,7 +3855,7 @@ This event sends basic metadata about the SetupPlatform update installation proc The following fields are available: -- **ActivityId** Provides a uniqueIDto correlate events that occur between a activity start event, and a stop event +- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event - **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.) - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. @@ -3919,7 +3897,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, Azure AD, or Local +- **accountType** The type of account that was deleted. Example: AD, AAD, or Local - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). @@ -4038,7 +4016,7 @@ The following fields are available: - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? - **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. @@ -4109,7 +4087,7 @@ The following fields are available: - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** State of call - **EventType** Possible values are "Child", "Bundle", or "Driver". -- **FlightId** The specificIDof the flight the device is getting +- **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. @@ -4155,13 +4133,13 @@ The following fields are available: - **Edition** Identifies the edition of Windows currently running on the device. - **EventInstanceID** A globally unique identifier for event instance. - **EventNamespaceID** The ID of the test events environment. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was canceled, succeeded, or failed. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. - **EventType** Identifies the type of the event (Child, Bundle, or Driver). - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specificIDof the flight (pre-release build) the device is getting. +- **FlightId** The specific id of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. @@ -4183,7 +4161,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4212,8 +4190,8 @@ The following fields are available: - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client - **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver" +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough - **FileId** A hash that uniquely identifies a file - **FileName** Name of the downloaded file @@ -4242,10 +4220,10 @@ The following fields are available: - **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" - **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any - **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby) +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **ResumeCount** Number of times this active download has resumed from a suspended state -- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.) +- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SuspendCount** Number of times this active download has entered a suspended state - **SuspendReason** Last reason for why this active download entered a suspended state @@ -4276,12 +4254,12 @@ The following fields are available: - **DeviceModel** What is the device model. - **DeviceOEM** What OEM does this device belong to. - **DownloadPriority** The priority of the download activity. -- **DownloadScenarioId** A unique ID for a given download used to tie together Windows Update and DO events. +- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events. - **DriverPingBack** Contains information about the previous driver and system state. - **Edition** Indicates the edition of Windows being used. - **EventInstanceID** A globally unique identifier for event instance. -- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Canceled, Failed, etc. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed. +- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. - **ExtendedErrorCode** The extended error code. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. @@ -4337,7 +4315,7 @@ This event sends data about the ability of Windows to discover the location of a The following fields are available: -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed - **HResult** Indicates the result code of the event (success, cancellation, failure code HResult) - **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background - **NextExpirationTime** Indicates when the SLS cab expires @@ -4407,7 +4385,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is managed by Configuration Manager . +- **IsSccmManaged** This device is SCCM managed. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. @@ -4506,7 +4484,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgent_FellBackToCanonical -This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4531,7 +4509,7 @@ The following fields are available: - **FlightMetadata** Contains the FlightId and the build being flighted. - **ObjectId** Unique value for each Update Agent mode. - **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled +- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled - **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate - **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). - **SessionId** Unique value for each Update Agent mode attempt . @@ -4548,7 +4526,7 @@ The following fields are available: - **FlightId** Unique ID for each flight. - **ObjectId** Unique value for each Update Agent mode. - **RelatedCV** Correlation vector value generated from the latest scan. -- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled +- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled - **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate - **SessionId** Unique value for each Update Agent mode attempt. - **UpdateId** Unique ID for each update. @@ -4604,7 +4582,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4620,7 +4598,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4651,7 +4629,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4671,7 +4649,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4737,7 +4715,7 @@ This event sends a summary of all the update agent mitigations available for an ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4753,13 +4731,13 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4814,7 +4792,7 @@ The following fields are available: - **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). - **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). - **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** An ID that uniquely identifies a group of events. - **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. @@ -4835,7 +4813,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. @@ -4856,7 +4834,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4877,7 +4855,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** A string to uniquely identify a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. @@ -4919,7 +4897,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4940,7 +4918,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. @@ -4961,7 +4939,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** Windows Update client ID. @@ -5001,7 +4979,7 @@ This event sends a summary of all the setup mitigations available for this updat ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. @@ -5021,7 +4999,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. @@ -5030,7 +5008,7 @@ The following fields are available: ### Microsoft.Windows.WERVertical.OSCrash -This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. The following fields are available: @@ -5043,7 +5021,7 @@ The following fields are available: - **DumpFileAttributes** Codes that identify the type of data contained in the dump file - **DumpFileSize** Size of the dump file - **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report ID associated with this bug check (used for finding the corresponding report archive in Watson). +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). ### WerTraceloggingProvider.AppCrashEvent @@ -5071,7 +5049,7 @@ The following fields are available: - **TargetAppId** The target app ID. - **TargetAppVer** The target app version. - + ## Windows Store events @@ -5486,7 +5464,7 @@ The following fields are available: - **CatalogId** The Store Catalog ID for the product being installed. - **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition of the app being updated. +- **SkuId** Specfic edition of the app being updated. ### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest @@ -5500,7 +5478,7 @@ The following fields are available: ## Windows Update Delivery Optimization events -### Microsoft.OSG.DU.DeliveryOptClient.Downloadcanceled +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. @@ -5866,7 +5844,7 @@ The following fields are available: - **detectionBlockreason** The reason detection did not complete. - **detectionDeferreason** A log of deferral reasons for every update state. - **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. - **interactive** Indicates whether the user initiated the session. - **revisionNumber** The Update revision number. @@ -5933,7 +5911,7 @@ The following fields are available: - **batteryLevel** Current battery capacity in mWh or percentage left. - **deferReason** Reason for install not completing. -- **errorCode** The error code represented by a hexadecimal value. +- **errorCode** The error code reppresented by a hexadecimal value. - **eventScenario** End-to-end update session ID. - **flightID** The ID of the Windows Insider build the device is getting. - **flightUpdate** Indicates whether the update is a Windows Insider build. @@ -6436,6 +6414,3 @@ The following fields are available: - **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. - **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. - **UserId** The XUID (Xbox User ID) of the current user. - - - From 75c2f46fbe0e2ec751390ca90e35c729bf687349 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 10:36:42 -0700 Subject: [PATCH 056/106] Miscellaneous fixes (e.g. typos) --- ...ndows-diagnostic-events-and-fields-1703.md | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index f5dfb0b57d..d223a6c0eb 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1212,7 +1212,7 @@ The following fields are available: - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. - **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information. - **RunResult** The hresult of the Appraiser diagnostic data run. - **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **StoreHandleIsNotNull** Obsolete, always set to false @@ -1286,7 +1286,7 @@ The following fields are available: - **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. - **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. - **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected. Boolean value. ### Census.Enterprise @@ -1301,16 +1301,16 @@ The following fields are available: - **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. - **ContainerType** The type of container, such as process or virtual machine hosted. - **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (Azure AD) tenant? true/false - **IsDERequirementMet** Represents if the device can do device encryption. - **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption - **IsDomainJoined** Indicates whether a machine is joined to a domain. - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier. ### Census.Firmware @@ -1431,7 +1431,7 @@ The following fields are available: - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. - **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc. - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. @@ -1485,7 +1485,7 @@ The following fields are available: - **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. - **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). - **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. - **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. - **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. @@ -1578,9 +1578,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -1817,7 +1817,7 @@ The following fields are available: - **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp. - **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to. -- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.. +- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc. - **placementId** Name of surface, such as LockScreen or Start. @@ -2130,7 +2130,7 @@ This event sends data about hangs for both native and managed applications, to h The following fields are available: - **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppSessionGuid** GUID made up of process ID used as a correlation vector for process instances in the telemetry backend. - **AppVersion** The version of the app that has hung. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. @@ -2145,7 +2145,7 @@ The following fields are available: - **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. - **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. - **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application ID of the package. ## Inventory events @@ -2818,8 +2818,8 @@ The following fields are available: - **BatteryCapacity** Maximum battery capacity in mWh - **BatteryCharge** Current battery charge as a percentage of total capacity - **BatteryDischarging** Flag indicating whether the battery is discharging or charging -- **BootId** Monotonically increasing boot id, reset on upgrades. -- **BootTimeUTC** Boot time in UTC  file time. +- **BootId** Monotonically increasing boot ID, reset on upgrades. +- **BootTimeUTC** Boot time in UTC file time. - **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot. - **LastStateTransition** The previous state transition on the device. - **LastStateTransitionSub** The previous state subtransition on the device. @@ -3113,7 +3113,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -3211,7 +3211,7 @@ The following fields are available: - **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. -- **ServiceHealthPlugin** The nae of the Service Health plug-in. +- **ServiceHealthPlugin** The name of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. - **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. @@ -3855,7 +3855,7 @@ This event sends basic metadata about the SetupPlatform update installation proc The following fields are available: -- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event +- **ActivityId** Provides a unique ID to correlate events that occur between a activity start event, and a stop event - **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.) - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. @@ -3897,7 +3897,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, AAD, or Local +- **accountType** The type of account that was deleted. Example: AD, Azure AD, or Local - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). @@ -4087,7 +4087,7 @@ The following fields are available: - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** State of call - **EventType** Possible values are "Child", "Bundle", or "Driver". -- **FlightId** The specific id of the flight the device is getting +- **FlightId** The specific ID of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. @@ -4139,7 +4139,7 @@ The following fields are available: - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific id of the flight (pre-release build) the device is getting. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. @@ -4191,7 +4191,7 @@ The following fields are available: - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client - **ClientVersion** The version number of the software distribution client - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver" - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough - **FileId** A hash that uniquely identifies a file - **FileName** Name of the downloaded file @@ -4220,7 +4220,7 @@ The following fields are available: - **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" - **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any - **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby) - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **ResumeCount** Number of times this active download has resumed from a suspended state - **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) @@ -4254,7 +4254,7 @@ The following fields are available: - **DeviceModel** What is the device model. - **DeviceOEM** What OEM does this device belong to. - **DownloadPriority** The priority of the download activity. -- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events. +- **DownloadScenarioId** A unique ID for a given download used to tie together Windows Update and DO events. - **DriverPingBack** Contains information about the previous driver and system state. - **Edition** Indicates the edition of Windows being used. - **EventInstanceID** A globally unique identifier for event instance. @@ -4385,7 +4385,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is SCCM managed. +- **IsSccmManaged** This device is managed by Configuration Manager. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. @@ -5008,7 +5008,7 @@ The following fields are available: ### Microsoft.Windows.WERVertical.OSCrash -This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. +This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. The following fields are available: @@ -5464,7 +5464,7 @@ The following fields are available: - **CatalogId** The Store Catalog ID for the product being installed. - **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specfic edition of the app being updated. +- **SkuId** Specific edition of the app being updated. ### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest @@ -5911,7 +5911,7 @@ The following fields are available: - **batteryLevel** Current battery capacity in mWh or percentage left. - **deferReason** Reason for install not completing. -- **errorCode** The error code reppresented by a hexadecimal value. +- **errorCode** The error code represented by a hexadecimal value. - **eventScenario** End-to-end update session ID. - **flightID** The ID of the Windows Insider build the device is getting. - **flightUpdate** Indicates whether the update is a Windows Insider build. From ce5fb5e83023c4899a7d6bbdb99ab959da724516 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 10:59:18 -0700 Subject: [PATCH 057/106] Update event section --- ...iagnostic-events-fields-windows-11-22H2.md | 176 +++++------------- 1 file changed, 42 insertions(+), 134 deletions(-) diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index aa6f04328c..1735e3b093 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -40,6 +40,7 @@ You can learn more about Windows functional and diagnostic data through these ar + ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -187,7 +188,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. -- **SdbEntries** Deprecated in RS3. ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove @@ -210,7 +210,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. -- **SdbEntries** Deprecated in RS3. ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd @@ -222,7 +221,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. -- **SdbEntries** Deprecated in RS3. ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync @@ -1108,6 +1106,12 @@ The following fields are available: - **Language** String containing the incompatible language pack detected. +### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled + +This event fires when HVCI is already enabled so no need to continue auto-enablement. + + + ## Common data extensions ### Common Data Extensions.app @@ -1270,19 +1274,6 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. ## Component-based servicing events @@ -1720,7 +1711,7 @@ The following fields are available: - **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion. - **PackageVersion** Windows Mixed Reality Portal app package version. - **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state. -- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. +- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity). ### TraceLoggingOasisUsbHostApiProvider.DeviceInformation @@ -2151,32 +2142,6 @@ The following fields are available: - **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''. -## OneSettings events - -### Microsoft.Windows.OneSettingsClient.Status - -This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **flightId** Flight id. -- **time** Time. - - -## OOBE events - -### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled - -This event is the result of an attempt to cancel ZDP task. - -The following fields are available: - -- **cancelReason** Enum for source/reason to cancel. -- **resultCode** HR result of the cancellation. - - -## Other events - ### Microsoft.Edge.Crashpad.HangEvent This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang. @@ -2193,102 +2158,28 @@ The following fields are available: - **stack_hash** A hash of the hanging stack. Currently not used or set to zero. -### Microsoft.Gaming.Critical.Error +## OneSettings events -Common error event used by the Gaming Telemetry Library to provide centralized monitoring for critical errors logged by callers using the library. +### Microsoft.Windows.OneSettingsClient.Status + +This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. The following fields are available: -- **callStack** List of active subroutines running during error occurrence. -- **componentName** Friendly name meant to represent what feature area this error should be attributed to. Used for aggregations and pivots of data. -- **customAttributes** List of custom attributes. -- **errorCode** Error code. -- **extendedData** JSON blob representing additional, provider-level properties common to the component. -- **featureName** Friendly name meant to represent which feature this should be attributed to. -- **identifier** Error identifier. -- **message** Error message. -- **properties** List of properties attributed to the error. +- **flightId** Flight id. +- **time** Time. -### Microsoft.Gaming.Critical.ProviderRegistered +## OOBE events -Indicates that a telemetry provider has been registered with the Gaming Telemetry Library. +### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled + +This event is the result of an attempt to cancel ZDP task The following fields are available: -- **providerNamespace** The telemetry Namespace for the registered provider. - - -### Microsoft.Gaming.OOBE.HDDBackup - -This event describes whether an External HDD back up has been found. - -The following fields are available: - -- **backupVersion** version number of backup. -- **extendedData** JSON blob representing additional, provider-level properties common to the component. -- **hasConsoleSettings** Indicates whether the console settings stored. -- **hasUserSettings** Indicates whether the user settings stored. -- **hasWirelessProfile** Indicates whether the wireless profile stored. -- **hddBackupFound** Indicates whether hdd backup is found. -- **osVersion** Operating system version. - - -### Microsoft.Gaming.OOBE.OobeComplete - -This event is triggered when OOBE activation is complete. - -The following fields are available: - -- **allowAutoUpdate** Allows auto update. -- **allowAutoUpdateApps** Allows auto update for apps. -- **appliedTransferToken** Applied transfer token. -- **connectionType** Connection type. -- **curSessionId** Current session id. -- **extendedData** JSON blob representing additional, provider-level properties common to the component. -- **instantOn** Instant on. -- **moobeAcceptedState** Moobe accepted state. -- **phaseOneElapsedTimeMs** Total elapsed time in milliseconds for phase 1. -- **phaseOneVersion** Version of phase 1. -- **phaseTwoElapsedTimeMs** Total elapsed time in milliseconds for phase 2. -- **phaseTwoVersion** Version of phase 2. -- **systemUpdateRequired** Indicates whether a system update required. -- **totalElapsedTimeMs** Total elapsed time in milliseconds of all phases. -- **usedCloudBackup** Indicates whether cloud backup is used. -- **usedHDDBackup** Indicates whether HDD backup is used. -- **usedOffConsole** Indicates whether off console is used. - - -### Microsoft.Gaming.OOBE.SessionStarted - -This event is sent at the start of OOBE session. - -The following fields are available: - -- **customAttributes** customAttributes. -- **extendedData** extendedData. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState - -This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantStateDownloading** True at the start Downloading. -- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. -- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. -- **UpdateAssistantStateInstalling** True at the start of Installing. -- **UpdateAssistantStatePostInstall** True at the start of PostInstall. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled - -This event fires when HVCI is already enabled so no need to continue auto-enablement. - +- **cancelReason** Enum for source/reason to cancel. +- **resultCode** HR result of the cancellation. ## Privacy consent logging events @@ -2423,7 +2314,7 @@ The following fields are available: ### Microsoft.Surface.Battery.Prod.BatteryInfoEventV3 -This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. +Hardware level data about battery performance. The following fields are available: @@ -2480,6 +2371,24 @@ The following fields are available: - **UpdateAttempted** Indicates if installation of the current update has been attempted before. +## Update Assistant events + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + ## Update events ### Update360Telemetry.UpdateAgentDownloadRequest @@ -3397,7 +3306,9 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.Derived.ClientAggregated.LaunchPageDuration -This event is derived event results for the LaunchPageDuration scenario. +Derived Event Results for LaunchPageDuration Scenario. + +This event includes fields from [Metric](#metric). @@ -3454,6 +3365,3 @@ The following fields are available: - **SessionId** The UpdateAgent “SessionId” value. - **UpdateId** Unique identifier for the Update. - **WuId** Unique identifier for the Windows Update client. - - - From a6b5e4f9f3883760a4d340e80bff6068babb7d5c Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 11:09:31 -0700 Subject: [PATCH 058/106] Fix broken links issues --- ...iagnostic-events-fields-windows-11-22H2.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index 1735e3b093..a0b4351043 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -1275,6 +1275,21 @@ The following fields are available: - **xid** A list of base10-encoded XBOX User IDs. +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilitySessionFinalize @@ -1711,7 +1726,7 @@ The following fields are available: - **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion. - **PackageVersion** Windows Mixed Reality Portal app package version. - **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state. -- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity). +- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. ### TraceLoggingOasisUsbHostApiProvider.DeviceInformation @@ -3308,9 +3323,6 @@ The following fields are available: Derived Event Results for LaunchPageDuration Scenario. -This event includes fields from [Metric](#metric). - - ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit From 9eeda07d3950da373b1686bf44e38cc27cca89b3 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 12:25:17 -0700 Subject: [PATCH 059/106] Updates to events --- ...ndows-diagnostic-events-and-fields-1709.md | 149 +++++++----------- 1 file changed, 59 insertions(+), 90 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 6c6c14d919..a2c1dc626d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -8,8 +8,6 @@ ms.author: danbrown manager: dougeby ms.collection: M365-security-compliance ms.topic: article -ms.date: -ms.reviewer: ms.technology: privacy --- @@ -29,7 +27,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) @@ -40,7 +39,6 @@ You can learn more about Windows functional and diagnostic data through these ar - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -51,19 +49,19 @@ The following fields are available: - **DatasourceApplicationFile_RS4** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS4** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_RS4** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_RS4** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_RS4** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. -- **DatasourceSystemBios_RS4** The total number of objects of this type present on this device. -- **DecisionApplicationFile_RS4** The total number of objects of this type present on this device. -- **DecisionDevicePnp_RS4** The total number of objects of this type present on this device. -- **DecisionDriverPackage_RS4** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_RS4** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_RS4** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS4** The total number of objects of this type present on this device. -- **DecisionMediaCenter_RS4** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS4** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. @@ -82,7 +80,7 @@ The following fields are available: - **SystemWim** The total number of objects of this type present on this device. - **SystemWindowsActivationStatus** The total number of objects of this type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_RS4** The total number of objects of this type present on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -1377,7 +1375,7 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -1676,7 +1674,7 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update(WU) updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. - **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -1954,6 +1952,18 @@ This event is fired by UTC at state transitions to signal what data we are allow This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups. +- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism. +- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry). +- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations. +- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started. +- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry. ### TelClientSynthetic.ConnectivityHeartBeat_0 @@ -1962,7 +1972,7 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Returns last execution codes from census client run. +- **CensusExitCode** Last exit code of Census task - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. @@ -2212,7 +2222,7 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -2743,59 +2753,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. -- **Usage** Data regarding usage of the add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -3025,6 +2982,22 @@ The following fields are available: - **winInetError** The HResult of the operation. + +## Other events + +### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties + +This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. + +The following fields are available: + +- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. +- **nodeOperatingSystem** A user friendly description of the node's OS version. +- **nodeOSVersion** A major or minor build version string for the node's OS. +- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. +- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. + + ## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted @@ -3727,7 +3700,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, Azure Active Directory (AAD), or Local +- **accountType** The type of account that was deleted. Example: AD, Azure Active Directory (Azure AD), or Local - **deleteState** Whether the attempted deletion of the user account was successful. - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). @@ -4353,7 +4326,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgent_FellBackToCanonical -This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4451,7 +4424,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4467,7 +4440,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4499,7 +4472,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4519,7 +4492,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentFellBackToCanonical -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4535,7 +4508,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4631,7 +4604,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4647,7 +4620,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4665,7 +4638,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4682,7 +4655,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5056,7 +5029,7 @@ This event sends a summary of all the setup mitigations available for this updat ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6568,7 +6541,3 @@ This event indicates whether the system detected an activation error in the app. ### Microsoft.Xbox.XamTelemetry.AppActivity This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. - - - - From 1bef5a6c3d20bcd2afb191322b43999eebdbbd26 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 12:32:43 -0700 Subject: [PATCH 060/106] Updates to events --- ...ndows-diagnostic-events-and-fields-1803.md | 144 +++++------------- 1 file changed, 39 insertions(+), 105 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 8754ca2137..7d07b05bd4 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -8,8 +8,6 @@ ms.author: danbrown manager: dougeby ms.collection: M365-security-compliance ms.topic: article -ms.date: -ms.reviewer: ms.technology: privacy --- @@ -29,7 +27,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) @@ -39,7 +38,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -50,50 +48,50 @@ The following fields are available: - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_RS5** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_RS5** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_RS5** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. -- **DatasourceSystemBios_RS5** The total number of objects of this type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. -- **DecisionApplicationFile_RS5** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. -- **DecisionDevicePnp_RS5** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. -- **DecisionDriverPackage_RS5** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS5** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS5** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. -- **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. -- **DecisionSystemBios_RS5** The total number of objects of this type present on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. @@ -115,7 +113,7 @@ The following fields are available: - **SystemWlan** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. -- **Wmdrm_RS5** The total number of objects of this type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -1434,7 +1432,7 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -2323,9 +2321,6 @@ The following fields are available: - **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. - **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. - **EventsPersistedCount** Number of events that reached the PersistEvent stage. -- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. -- **EventStoreResetCounter** Number of times event DB was reset. -- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. - **EventSubStoreResetCounter** Number of times event DB was reset. - **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. - **EventsUploaded** Number of events uploaded. @@ -3164,7 +3159,7 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -3707,61 +3702,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the office addin -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -4363,10 +4303,6 @@ The following fields are available: - **winInetError** The HResult of the operation. -## Other events - - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -4545,7 +4481,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -4984,7 +4920,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, Azure Active Directory (AAD), or Local. +- **accountType** The type of account that was deleted. Example: AD, AAD, or Local - **deleteState** Whether the attempted deletion of the user account was successful. - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). @@ -5460,6 +5396,7 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + ## Surface events ### Microsoft.Surface.Battery.Prod.BatteryInfoEvent @@ -5487,7 +5424,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is managed by Configuration Manager. +- **IsSccmManaged** This device is SCCM managed. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. @@ -5576,7 +5513,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5592,7 +5529,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5624,7 +5561,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5644,7 +5581,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentFellBackToCanonical -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5660,7 +5597,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5758,7 +5695,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5774,7 +5711,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5792,7 +5729,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5814,7 +5751,7 @@ This event sends information indicating that a request has been sent to suspend ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6121,7 +6058,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -6258,7 +6195,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6804,7 +6741,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **wUfBConnected** Result of WUfB connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -6818,7 +6755,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **wUfBConnected** Result of WUfB connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -6859,7 +6796,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **wUfBConnected** Result of WUfB connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted @@ -8183,7 +8120,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8205,7 +8142,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. @@ -8296,6 +8233,3 @@ The following fields are available: - **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. - **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. - **UserId** The XUID (Xbox User ID) of the current user. - - - From a3dd5648a78151ca5fec28c009bfe7548ac09500 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 12:44:43 -0700 Subject: [PATCH 061/106] Miscellaneous changes --- ...ndows-diagnostic-events-and-fields-1803.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 7d07b05bd4..3f5ec6ca08 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4481,7 +4481,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -4920,7 +4920,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, AAD, or Local +- **accountType** The type of account that was deleted. Example: AD, Azure Active Directory (Azure AD), or Local - **deleteState** Whether the attempted deletion of the user account was successful. - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). @@ -5424,7 +5424,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is SCCM managed. +- **IsSccmManaged** This device is managed by Configuration Manager. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. @@ -5711,7 +5711,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6058,7 +6058,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -6195,7 +6195,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6741,7 +6741,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -6755,7 +6755,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -6796,7 +6796,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted @@ -8120,7 +8120,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8142,7 +8142,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. From baadb814a6f603f684a7e42caca8891051a0af33 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 13:36:12 -0700 Subject: [PATCH 062/106] Updates to events --- ...ndows-diagnostic-events-and-fields-1809.md | 333 ++++++++++++------ 1 file changed, 228 insertions(+), 105 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f6599e024a..dcf305a3a8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -8,8 +8,6 @@ ms.author: danbrown manager: dougeby ms.collection: M365-security-compliance ms.topic: article -ms.date: -ms.reviewer: ms.technology: privacy --- @@ -28,8 +26,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -38,8 +36,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - ## Account trace logging provider events ### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General @@ -2166,8 +2162,8 @@ The following fields are available: - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -2569,7 +2565,7 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. - **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -2587,6 +2583,27 @@ The following fields are available: - **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. +## Code Integrity events + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Compatibility + +Fires when the compatibility check completes. Gives the results from the check. + +The following fields are available: + +- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false. +- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement. + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity + +Fires at the beginning and end of the HVCI auto-enablement process in sysprep. + +The following fields are available: + +- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. See [wilActivity](#wilactivity). + + ## Common data extensions ### Common Data Extensions.app @@ -3181,7 +3198,7 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Returns last execution codes from census client run. +- **CensusExitCode** Last exit code of Census task - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. @@ -4446,7 +4463,7 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -4768,7 +4785,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). The following fields are available: @@ -4882,7 +4899,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). The following fields are available: @@ -5053,61 +5070,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -5154,7 +5116,7 @@ The following fields are available: This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.Device.DeviceInventoryChangd](#msdevicedeviceinventorychangd). The following fields are available: @@ -5197,7 +5159,7 @@ The following fields are available: - **FirmwareResetReasonPch** Reason for system reset provided by firmware. - **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). - **LastBootSucceeded** Flag indicating whether the last boot was successful. - **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. - **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. @@ -5470,6 +5432,25 @@ The following fields are available: - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. +### Microsoft.Edge.Crashpad.CrashEvent + +This event sends simple Product and Service Performance data on a crashing Microsoft Edge browser process to help mitigate future instances of the crash. + +The following fields are available: + +- **app_name** The name of the crashing process. +- **app_session_guid** Encodes the boot session, process id, and process start time. +- **app_version** The version of the crashing process. +- **client_id_hash** Hash of the browser client ID which helps identify installations. +- **etag** Encodes the running experiments in the browser. +- **module_name** The name of the module in which the crash originated. +- **module_offset** Memory offset into the module in which the crash originated. +- **module_version** The version of the module in which the crash originated. +- **process_type** The type of the browser process that crashed, e.g., renderer, gpu-process, etc. +- **stack_hash** Hash of the stack trace representing the crash. Currently not used or set to zero. +- **sub_code** The exception/error code representing the crash. + + ### Microsoft.WebBrowser.Installer.EdgeUpdate.Ping This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date. @@ -5785,6 +5766,7 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -5919,6 +5901,140 @@ The following fields are available: - **WusaInstallHResult** Internal result code from WUSA when used to install the quality update. +### Microsoft.Windows.Shell.EM.EMCompleted + +Event that tracks the effectiveness of an operation to mitigate an issue on devices that meet certain requirements. + +The following fields are available: + +- **cleanUpScheduledTaskHR** The result of the operation to clean up the scheduled task the launched the operation. +- **eulaHashHR** The result of the operation to generate a hash of the EULA file that's currently on-disk. +- **mitigationHR** The result of the operation to take corrective action on a device that's impacted. +- **mitigationResult** The enumeration value representing the action that was taken on the device. +- **mitigationResultReason** The string value representing the action that was taken on the device. +- **mitigationSuccessWriteHR** The result of writing the success value to the registry. +- **region** The device's default region at the time of execution. +- **windowsVersionString** The version of Windows that was computed at the time of execution. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantInteractive + +An user action such as button click happens. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantInteractiveObjective** The objective of the action performed. +- **UpdateAssistantInteractiveUiAction** The action performed through UI. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStateGeneralErrorDetails + +Details about errors of current state. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantGeneralErrorHResult** HResult of current state. +- **UpdateAssistantGeneralErrorOriginalState** State name of current state. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantDwnldr.UpdateAssistantDownloadDetails + +Details about the Update Assistant ESD download. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The counter for all telemetry on the device. +- **UpdateAssistantDownloadCancelled** True when the ESD download is cancelled. +- **UpdateAssistantDownloadDownloadTotalBytes** The total size in bytes of the download. +- **UpdateAssistantDownloadEditionMismatch** True if downloaded ESD doesn't match edition. +- **UpdateAssistantDownloadESDEncrypted** True if ESD is encrypted. +- **UpdateAssistantDownloadIs10s** True if ESD is 10s. +- **UpdateAssistantDownloadMessage** Message from a completed or failed download. +- **UpdateAssistantDownloadMsgSize** Size of the download. +- **UpdateAssistantDownloadNEdition** True if ESD is N edition. +- **UpdateAssistantDownloadPath** Full path to the download. +- **UpdateAssistantDownloadPathSize** Size of the path. +- **UpdateAssistantDownloadProductsXml** Full path of products xml. +- **UpdateAssistantDownloadTargetEdition** The targeted edition for the download. +- **UpdateAssistantDownloadTargetLanguage** The targeted language for the download. +- **UpdateAssistantDownloadUseCatalog** True if update assistant is using catalog. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable @@ -6053,7 +6169,7 @@ The following fields are available: - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). - **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. @@ -6815,7 +6931,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. @@ -6870,9 +6986,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -6931,8 +7047,8 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -6994,6 +7110,7 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + ## Surface events ### Microsoft.Surface.Battery.Prod.BatteryInfoEvent @@ -7010,7 +7127,6 @@ The following fields are available: - **szBatteryInfo** Battery performance data. - ## System Resource Usage Monitor events ### Microsoft.Windows.Srum.Sdp.CpuUsage @@ -7061,7 +7177,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7077,7 +7193,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7114,7 +7230,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7134,7 +7250,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentFellBackToCanonical -This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7150,7 +7266,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7249,7 +7365,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7265,7 +7381,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7283,7 +7399,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7549,7 +7665,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -7686,7 +7802,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7843,7 +7959,7 @@ The following fields are available: - **DPRange** Maximum mean value range. - **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure. +- **Value** Standard UTC emitted DP value structure See [Value](#value). ## Windows Store events @@ -8291,7 +8407,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **wUfBConnected** Result of WUfB connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -8305,7 +8421,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **wUfBConnected** Result of WUfB connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -8346,7 +8462,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **wUfBConnected** Result of WUfB connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded @@ -9562,10 +9678,10 @@ The following fields are available: - **CV** The correlation vector. - **GlobalEventCounter** Counts the events at the global level for telemetry. - **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directoryjoined. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory-joined. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. - **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. - **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. - **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. @@ -9577,10 +9693,10 @@ The following fields are available: - **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. - **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. -- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. +- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -9647,7 +9763,7 @@ The following fields are available: ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin -This event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure. +This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. The following fields are available: @@ -9667,6 +9783,16 @@ The following fields are available: - **PackageVersion** Current package version of remediation. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -9811,7 +9937,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique GUID that identifies each instances of setuphost.exe. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -9833,7 +9959,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. @@ -9856,7 +9982,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. @@ -9983,6 +10109,3 @@ The following fields are available: - **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. - **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. - **UserId** The XUID (Xbox User ID) of the current user. - - - From 771bc3cf55b7cd72ad201ed49c83f310e6c79e91 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 13:51:02 -0700 Subject: [PATCH 063/106] fix broken links --- ...evel-windows-diagnostic-events-and-fields-1809.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index dcf305a3a8..f2d4bcb26d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2592,7 +2592,7 @@ Fires when the compatibility check completes. Gives the results from the check. The following fields are available: - **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false. -- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement. +- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement). ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity @@ -4785,7 +4785,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: @@ -4899,7 +4899,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: @@ -5116,7 +5116,7 @@ The following fields are available: This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChangd](#msdevicedeviceinventorychangd). +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: @@ -5159,7 +5159,7 @@ The following fields are available: - **FirmwareResetReasonPch** Reason for system reset provided by firmware. - **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. - **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. -- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. - **LastBootSucceeded** Flag indicating whether the last boot was successful. - **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. - **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. @@ -7959,7 +7959,7 @@ The following fields are available: - **DPRange** Maximum mean value range. - **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. -- **Value** Standard UTC emitted DP value structure See [Value](#value). +- **Value** Standard UTC emitted DP value structure. ## Windows Store events From c9547a90a33c642e73452835cdb14f7eedbce125 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 14:00:09 -0700 Subject: [PATCH 064/106] Fix list formatting Update metadata --- ...sic-level-windows-diagnostic-events-and-fields-1809.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index f2d4bcb26d..700809831d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -1,14 +1,13 @@ --- description: Learn more about the Windows 10, version 1809 diagnostic data gathered at the basic level. title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.technology: privacy --- @@ -27,7 +26,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) -- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) From a6aa9bc12e8e081846cc748727d9025d8effbe05 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 15:29:50 -0700 Subject: [PATCH 065/106] Updates to event section --- ...windows-11-diagnostic-events-and-fields.md | 3487 ++++------------- 1 file changed, 839 insertions(+), 2648 deletions(-) diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index c5f8c39e62..12ca6c8f39 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -1,26 +1,20 @@ --- description: Learn more about the Windows 11 diagnostic data gathered at the basic level. title: Required diagnostic events and fields for Windows 11, version 21H2 -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: - - M365-security-compliance - - highpri +ms.collection: highpri ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy + --- # Required diagnostic events and fields for Windows 11, version 21H2 -> [!IMPORTANT] -> Windows is moving to classifying the data collected from customer’s devices as either Required or Optional. - - **Applies to** - Windows 11, version 21H2 @@ -44,8 +38,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - ## AppPlatform events ### AppPlatform.InstallActivity @@ -91,98 +83,34 @@ This event lists the types of objects and how many of each exist on the client d The following fields are available: -- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_21H1** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. -- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_19H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device. -- **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. -- **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. -- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. -- **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. -- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. -- **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. -- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. -- **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. -- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. -- **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. -- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. -- **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device. -- **DecisionSystemBios_RS2** The total number of objects of this type present on this device. -- **DecisionSystemBios_RS3** The total number of objects of this type present on this device. -- **DecisionTest_19H1** The total number of objects of this type present on this device. -- **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. -- **DecisionTest_RS2** The total number of objects of this type present on this device. -- **DecisionTest_RS3** The total number of objects of this type present on this device. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. @@ -200,11 +128,7 @@ The following fields are available: - **SystemWim** The total number of objects of this type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The total number of objects of this type present on this device. -- **Wmdrm_19H1** The count of the number of this particular object type present on this device. -- **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device. -- **Wmdrm_RS2** The total number of objects of this type present on this device. -- **Wmdrm_RS3** The total number of objects of this type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -389,29 +313,6 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd - -This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser file generating the events. -- **SdbEntries** Deprecated in RS3. - - -### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove - -This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -435,17 +336,6 @@ The following fields are available: - **SdbEntries** Deprecated in RS3. -### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove - -This event indicates that the DatasourceSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -484,7 +374,7 @@ The following fields are available: - **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. - **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. - **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. -- **SoftBlock** The file is soft blocked in the SDB and has a warning. +- **SoftBlock** The file is softblocked in the SDB and has a warning. ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove @@ -674,32 +564,6 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd - -This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. -- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? -- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? -- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? -- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). - - -### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove - -This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -728,17 +592,6 @@ The following fields are available: - **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? -### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove - -This event indicates that the DecisionMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -760,21 +613,9 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **Blocking** Appraiser decision about eligibility to upgrade. -- **HostOsSku** The SKU of the Host OS. - **LockdownMode** S mode lockdown mode. -### Microsoft.Windows.Appraiser.General.DecisionSModeStateRemove - -This event indicates that the DecisionTpmVersion object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date. @@ -800,17 +641,6 @@ The following fields are available: - **HasBiosBlock** Does the device have a BIOS block? -### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove - -This event indicates that the DecisionSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -835,17 +665,6 @@ The following fields are available: - **TotalSize** Total disk size in Mb. -### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeRemove - -This event indicates that the DecisionSystemDiskSize object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeStartSync Start sync event for physical disk size data. The data collected with this event is used to help keep Windows up to date. @@ -870,17 +689,6 @@ The following fields are available: - **ramKB** Memory information in KB. -### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryRemove - -This event indicates that the DecisionSystemMemory object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionSystemMemoryStartSync The DecisionSystemMemoryStartSync event indicates that a new set of DecisionSystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -905,17 +713,6 @@ The following fields are available: - **CpuCores** Number of CPU Cores. -### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresRemove - -This event indicates that the DecisionSystemProcessorCpuCores object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresStartSync This event signals the start of telemetry collection for CPU cores in Appraiser. The data collected with this event is used to help keep Windows up to date. @@ -944,17 +741,6 @@ The following fields are available: - **CpuVendor** Cpu vendor. -### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelRemove - -This event indicates that the DecisionSystemProcessorCpuModel object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date. @@ -979,17 +765,6 @@ The following fields are available: - **Mhz** CPU speed in MHz. -### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedRemove - -This event indicates that the DecisionSystemProcessorCpuSpeed object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedStartSync This event collects data for CPU speed in MHz. The data collected with this event is used to help keep Windows up to date. @@ -1001,41 +776,6 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. -### Microsoft.Windows.Appraiser.General.DecisionTestAdd - -This event provides diagnostic data for testing decision add events. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser binary generating the events. -- **TestDecisionDataPoint1** Test data point 1. -- **TestDecisionDataPoint2** Test data point 2. - - -### Microsoft.Windows.Appraiser.General.DecisionTestRemove - -This event provides data that allows testing of “Remove” decisions to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. - - -### Microsoft.Windows.Appraiser.General.DecisionTestStartSync - -This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionTpmVersionAdd This event collects data about the Trusted Platform Module (TPM) in the device. TPM technology is designed to provide hardware-based, security-related functions. The data collected with this event is used to help keep Windows up to date. @@ -1049,17 +789,6 @@ The following fields are available: - **TpmVersionInfo** The version of Trusted Platform Module (TPM) technology in the device. -### Microsoft.Windows.Appraiser.General.DecisionTpmVersionRemove - -This event indicates that the DecisionTpmVersion object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date. @@ -1085,17 +814,6 @@ The following fields are available: - **SecureBootEnabled** Is UEFI enabled? -### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootRemove - -This event indicates that the DecisionUefiSecureBoot object represented by the objectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootStartSync Start sync event data for UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. @@ -1138,14 +856,14 @@ The following fields are available: - **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. - **CompanyName** The company name of the vendor who developed this file. - **FileId** A hash that uniquely identifies a file. -- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **FileVersion** The File version field from the file metadata under Properties -> Details. - **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. - **IsAv** Indicates whether the file an antivirus reporting EXE. - **LinkDate** The date and time that this file was linked on. - **LowerCaseLongPath** The full file path to the file that was inventoried on the device. - **Name** The name of the file that was inventoried. -- **ProductName** The Product name field from the file metadata under Properties -> Details. -- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. - **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. - **Size** The size of the file (in hexadecimal bytes). @@ -1266,17 +984,6 @@ The following fields are available: - **Model** The model field from Win32_ComputerSystem. -### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove - -This event indicates that the InventorySystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1288,41 +995,6 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser binary (executable) generating the events. -### Microsoft.Windows.Appraiser.General.InventoryTestAdd - -This event provides diagnostic data for testing event adds to help keep windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the component sending the data. -- **TestInvDataPoint1** Test inventory data point 1. -- **TestInvDataPoint2** Test inventory data point 2. - - -### Microsoft.Windows.Appraiser.General.InventoryTestRemove - -This event provides data that allows testing of “Remove” decisions to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. - - -### Microsoft.Windows.Appraiser.General.InventoryTestStartSync - -This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the appraiser binary (executable) generating the events. - - ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date. @@ -1403,17 +1075,6 @@ The following fields are available: - **virtualKB** The amount of virtual memory (in KB). -### Microsoft.Windows.Appraiser.General.SystemMemoryRemove - -This event that the SystemMemory object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1438,17 +1099,6 @@ The following fields are available: - **CompareExchange128Support** Does the CPU support CompareExchange128? -### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove - -This event indicates that the SystemProcessorCompareExchange object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1473,17 +1123,6 @@ The following fields are available: - **LahfSahfSupport** Does the CPU support LAHF/SAHF? -### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove - -This event indicates that the SystemProcessorLahfSahf object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1509,17 +1148,6 @@ The following fields are available: - **NXProcessorSupport** Does the processor support NX? -### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove - -This event indicates that the SystemProcessorNx object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1544,17 +1172,6 @@ The following fields are available: - **PrefetchWSupport** Does the processor support PrefetchW? -### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove - -This event indicates that the SystemProcessorPrefetchW object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1579,17 +1196,6 @@ The following fields are available: - **SSE2ProcessorSupport** Does the processor support SSE2? -### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove - -This event indicates that the SystemProcessorSse2 object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1649,17 +1255,6 @@ The following fields are available: - **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. -### Microsoft.Windows.Appraiser.General.SystemWimRemove - -This event indicates that the SystemWim object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemWimStartSync This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1723,17 +1318,6 @@ The following fields are available: - **WlanNativeDriver** Does the device have a non-emulated WLAN driver? -### Microsoft.Windows.Appraiser.General.SystemWlanRemove - -This event indicates that the SystemWlan object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.SystemWlanStartSync This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1802,17 +1386,6 @@ The following fields are available: - **WmdrmPurchased** Indicates if the system has any files with permanent licenses. -### Microsoft.Windows.Appraiser.General.WmdrmRemove - -This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AppraiserVersion** The version of the Appraiser file that is generating the events. - - ### Microsoft.Windows.Appraiser.General.WmdrmStartSync The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date. @@ -1881,8 +1454,8 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -1911,7 +1484,6 @@ The following fields are available: - **FlightingBranchName** The name of the Windows Insider branch currently used by the device. - **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. - **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. -- **SSRK** Retrieves the mobile targeting settings. ### Census.Hardware @@ -2291,7 +1863,7 @@ The following fields are available: - **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -2321,16 +1893,66 @@ The following fields are available: - **wilActivity** Common data logged with all Wil activities. See [wilActivity](#wilactivity). -### Microsoft.Windows.Shell.CloudExperienceHost.ExpectedReboot +## Code Integrity events -This event fires during OOBE when an expected reboot occurs- for example, as a result of language change or autopilot. The event doesn't fire if the user forcibly initiates a reboot/shutdown. The data collected with this event is used to keep Windows performing properly. +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.AutoEnablementIsBlocked + +Indicates if OEM attempted to block autoenablement via regkey. The following fields are available: -- **wilActivity** Common data logged with all Wil activities. +- **BlockHvciAutoenablement** True if auto-enablement was successfully blocked, false otherwise. -## Code Integrity events +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled + +Fires when auto-enablement is successful and HVCI is being enabled on the device. + + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity + +Fires at the beginning and end of the HVCI auto-enablement process in sysprep. + +The following fields are available: + +- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed + +Fires when driver scanning fails to get results. + + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanningDriverInSdbError + +Fires when there is an error checking the SDB for a particular driver. + +The following fields are available: + +- **DriverPath** Path to the driver that was being checked in the SDB when checking encountered an error. +- **Error** Error encountered during checking the SDB. + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanningDriverNonCompliantError + +Fires when a driver is discovered that is non-compliant with HVCI. + +The following fields are available: + +- **DriverPath** Path to driver. +- **NonComplianceMask** Error code indicating driver violation. + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.IsRegionDisabledLanguage + +Fires when an incompatible language pack is detected. + +The following fields are available: + +- **Language** String containing the incompatible language pack detected. + ### Microsoft.Windows.Security.CodeIntegrity.State.Current @@ -2538,19 +2160,6 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. ## Component-based servicing events @@ -2706,18 +2315,6 @@ This event reports the results of deferring Windows Content to keep Windows up t -### Microsoft.Windows.CbsLite.CbsLiteFinalizeCommit - -The event reports basic information about the end of the last phase of updates. The data collected with this event is used to keep windows up to date. - -The following fields are available: - -- **bootAvailable** Indicates if storage pool version supports Oneshot Boot functionality. -- **cbsLiteSessionID** An ID to associate other cbs events related to this update session. -- **duration** The number of milliseconds taken to complete the operation. -- **result** The return code of the operation. - - ### Microsoft.Windows.CbsLite.CbsLiteUpdateReserve This event updates the size of the update reserve on WCOS devices. The data collected with this event is used to help keep Windows up to date and secure. @@ -2731,150 +2328,8 @@ The following fields are available: - **Result** The return code for the operation. -## Deployment events - -### Microsoft.Windows.Deployment.Imaging.AppExit - -This event is sent on imaging application exit. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **hr** HResult returned from app exit. -- **totalTimeInMs** Total time taken in Ms. - - -### Microsoft.Windows.Deployment.Imaging.AppInvoked - -This event is sent when the app for image creation is invoked. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **branch** Corresponding branch for the image. -- **isInDbg** Whether the app is in debug mode or not. -- **isWSK** Whether the app is building images using WSK or not. - - -### Microsoft.Windows.Deployment.Imaging.Failed - -This failure event is sent when imaging fails. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **cs** Line that failed. -- **ec** Execution status. -- **hr** HResult returned. -- **msg** Message returned. -- **stack** Stack information. - - -### Microsoft.Windows.Deployment.Imaging.ImagingCompleted - -This event is sent when imaging is done. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **appExecTimeInMs** Execution time in milliseconds. -- **buildInfo** Information of the build. -- **compDbPrepTimeInMs** Preparation time in milliseconds for the CompDBs. -- **executeUpdateTimeInMs** Update execution time in milliseconds. -- **fileStageTimeInMs** File staging time in milliseconds. -- **hr** HResult returned from imaging. -- **imgSizeInMB** Image size in MB. -- **mutexWaitTimeInMs** Mutex wait time in milliseconds. -- **prepareUpdateTimeInMs** Update preparation time in milliseconds. -- **totalRunTimeInMs** Total running time in milliseconds. -- **updateOsTimeInMs** Time in milliseconds spent in update OS. - - -### Microsoft.Windows.Deployment.Imaging.ImagingStarted - -This event is sent when an imaging session starts. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **arch** Architecture of the image. -- **device** Device type for which the image is built. -- **imgFormat** Format of the image. -- **imgSkip** Parameter for skipping certain image types when building. -- **imgType** The type of image being built. -- **lang** Language of the image being built. -- **prod** Image product type. - - ## Diagnostic data events -### TelClientSynthetic.AbnormalShutdown_0 - -This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. -- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown. -- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. -- **BatteryLevelAtLastShutdown** The last recorded battery level. -- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. -- **CrashDumpEnabled** Are crash dumps enabled? -- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. -- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. -- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware. -- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware. -- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware. -- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware. -- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not. -- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. -- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. -- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. -- **InvalidBootStat** This is a sanity check flag that ensures the validity of the bootstat file. -- **LastBugCheckBootId** bootId of the last captured crash. -- **LastBugCheckCode** Code that indicates the type of error. -- **LastBugCheckContextFlags** Additional crash dump settings. -- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. -- **LastBugCheckOtherSettings** Other crash dump settings. -- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. -- **LastBugCheckProgress** Progress towards writing out the last crash dump. -- **LastBugCheckVersion** The version of the information struct written during the crash. -- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown. -- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button. -- **LongPowerButtonPressInstanceGuid** The Instance GUID for the user state of pressing and holding the power button. -- **OOBEInProgress** Identifies if OOBE is running. -- **OSSetupInProgress** Identifies if the operating system setup is running. -- **PowerButtonCumulativePressCount** How many times has the power button been pressed? -- **PowerButtonCumulativeReleaseCount** How many times has the power button been released? -- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics. -- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed. -- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed. -- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released. -- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released. -- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. -- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. -- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on. -- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. -- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. -- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. -- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. -- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid. -- **StaleBootStatData** Identifies if the data from bootstat is stale. -- **TransitionInfoBootId** BootId of the captured transition info. -- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode. -- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode. -- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode. -- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode. -- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp, -- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. -- **TransitionInfoLidState** Describes the state of the laptop lid. -- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed. -- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode. -- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode. -- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running. -- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. -- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. -- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. -- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. -- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. -- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. - - ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -2929,7 +2384,7 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Returns last execution codes from census client run. +- **CensusExitCode** Last exit code of Census task - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. @@ -3037,15 +2492,6 @@ The following fields are available: - **errorCode** The result code returned by the event. -### Microsoft.Windows.StartRepairCore.DISMUninstallLCU - -The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **errorCode** The result code returned by the event. - - ### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -3131,7 +2577,6 @@ The following fields are available: - **InstallDate** The date the driver was installed. - **LastCompatibleId** The ID in the hardware ID list that provides the least specific device description. - **LastInstallFunction** The last install function invoked in a co-installer if the install timeout was reached while a co-installer was executing. -- **LegacyInstallReasonError** The error code for the legacy installation. - **LowerFilters** The list of lower filter drivers. - **MatchingDeviceId** The hardware ID or compatible ID that Windows used to install the device instance. - **NeedReboot** Indicates whether the driver requires a reboot. @@ -3343,7 +2788,7 @@ This event indicates that the uninstall was properly configured and that a syste ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -3463,7 +2908,6 @@ The following fields are available: - **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version. - **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number. - **DeviceInfoFlags** Windows Mixed Reality device info flags. -- **DeviceName** Windows Mixed Reality device Name. This event is also used to count WMR device. - **DeviceReleaseNumber** Windows Mixed Reality device release number. - **FirmwareMajorVer** Windows Mixed Reality device firmware major version. - **FirmwareMinorVer** Windows Mixed Reality device firmware minor version. @@ -3494,26 +2938,9 @@ This event captures basic checksum data about the device inventory items stored The following fields are available: -- **DriverPackageExtended** A count of driverpackageextended objects in cache. - **InventoryApplication** A count of application objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache - **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryDeviceContainer** A count of device container objects in cache. -- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. -- **InventoryDeviceMediaClass** A count of device media objects in cache. -- **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceUsbHubClass** A count of device usb objects in cache -- **InventoryDriverBinary** A count of driver binary objects in cache. -- **InventoryDriverPackage** A count of device objects in cache. -- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryVersion** The version of the inventory binary generating the events. +- **InventoryVersion** test ### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd @@ -3582,7 +3009,6 @@ The following fields are available: - **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. - **MsiProductCode** A GUID that describe the MSI Product. - **Name** The name of the application. -- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. - **PackageFullName** The package full name for a Store application. - **ProgramInstanceId** A hash of the file IDs in an app. - **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. @@ -3593,17 +3019,15 @@ The following fields are available: - **Version** The version number of the program. -### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync -This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly. +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). The following fields are available: -- **FileId** A hash that uniquely identifies a file. -- **Frameworks** The list of frameworks this file depends on. -- **InventoryVersion** The version of the inventory file generating the events. +- **InventoryVersion** The version of the inventory component. ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync @@ -3788,7 +3212,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx). +- **InstallState** The device installation state. One of these values: [DEVICE_INSTALL_STATE enumeration](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state) - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -4022,59 +3446,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -4127,14 +3498,6 @@ The following fields are available: - **IndicatorValue** The indicator value. -### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove - -This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - - - ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly. @@ -4231,151 +3594,8 @@ The following fields are available: - **thermalZone** Contains an identifier that specifies which area it was that exceeded temperature limits. -## Manufacturing events - -### ManufacturingPlatformTel.ManufacturingPlatformActivityEvent - -These is the Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **BootOptionDescription** This field describes the boot option that is retrieved using EFI protocols from the DUT side. -- **BootOptionDevicePath** The device path for the boot option. -- **ChunkSizeInBytes** Indicates the chunk size, in bytes, of an FFU image. -- **CurrentDUTTime** Indicates the time on the DUT (or target device), using EFI protocols, when the event was logged. -- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved via SMBIOS on the DUT (target device). -- **DUTActivityGuid** The activity guid, from TraceLoggingActivity, that is associated with that operation on the DUT (target device). -- **DUTDeviceUniqueId** A GUID that uniquely identifies a target device. -- **DUTSessionGuid** A GUID that uniquely identifies a section on the DUT (target device). -- **EventName** Indicates the specific event from ManufacturingPlatform. A list of all possible events can be found in ufptelemetryevents.h. An example is: "GetFlashingImageData" or "GetFlashingStatus". -- **FFUFilePath** Describes to the name of the FFU file that we are flashing. -- **FFUHeaderSize** Refers to the size of the header in an FFU image. -- **FFUPayloadSize** Refers to the payload size of an FFU image. -- **FieldName** Provides a description of the value field. If relevant, it also includes the unit. Example: "ErrorMessage" or "TimeInSec". -- **HeaderFileOffset** Indicates the header file offset in an FFU image. -- **HostStartTime** Refers to the UTC system time on the host that is recorded when the host starts a telemetry logging session on the DUT (target device). -- **Identifier** Identifies the phase in ManufacturingPlatform we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. -- **ImageDeviceTargetInfo** Describes the device target information that has been included in the FFU image. These values can be found in the image header. -- **ImageHeaderData** Describes critical data in the image header of an FFU image. -- **OperationName** The name of the operation the host is triggering a logging session on the DUT (target device) for. -- **PayloadFileOffset** Indicates the header file offset in an FFU image. -- **SectorSize** Indicates the sector size of the FFU image. -- **StoreHeaderData** Describes critical data of important fields found in the store header of an FFU image. -- **UFPImplementationVersionMajor** Implementation major version for the UFP binaries on the DUT (target device) side. -- **UFPImplementationVersionMinor** Implementation minor version for the UFP binaries on the DUT (target device) side. -- **UFPProtocolVersionMajor** Protocol major version for the UFP binaries on the DUT (target device) side. -- **UFPProtocolVersionMinor** Protocol minor version for the UFP binaries on the DUT (target device) side. -- **ValueStr** The value to be logged. Described by field name and relevant to the event name. -- **ValueUInt64** The value to be logged. Described by field name and relevant to the event name. -- **ValueWideStr** The value to log. Described by field name and relevant to the event name. - - -### ManufacturingPlatformTel.ManufacturingPlatformActivityEventStart - -This is the Event Start Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved using SMBIOS on the DUT (target device). -- **m_Identifier** Indicates the phase in ManufacturingPlatform that we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. - - -### ManufacturingPlatformTel.ManufacturingPlatformActivityEventStop - -This is the Event Stop Activity event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **DeviceTargetInfo** Describes general manufacturing and product information about the device, retrieved using SMBIOS on the DUT (target device). -- **m_Identifier** Indicates the phase in ManufacturingPlatform that we are in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. - - -### ManufacturingPlatformTel.ManufacturingPlatformEvent - -This is the manufacturing event coming from the Manufacturing Platform. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **CurrentDUTTime** Indicates the time on the DUT (or target device) using EFI protocols when the event was logged. -- **DeviceFriendlyName** Friendly name of the device as retrieved from SMBIOS on the DUT (target device). -- **DeviceTargetInfo** Describes general manufacturing and product information about the device and is retrieved using SMBIOS on the DUT (target device). -- **DUTActivityGuid** The activity GUID that comes from TraceLoggingActivity associated with that operation on the DUT (target device). -- **DUTDeviceUniqueId** A GUID to uniquely describes a target device. -- **DUTSessionGuid** The session GUID given to the DUT (target device) when the host triggers an operation in the DUT. -- **EventName** Refers to the specific event occurring from ManufacturingPlatform. A list of all possible events can be found in ufptelemetryevents.h. An example is: "GetFlashingImageData" or "GetFlashingStatus" -- **FieldName** Describes the value field. If relevant it also includes the unit. Example: "ErrorMessage" or "TimeInSec" -- **HostStartTime** Indicates the UTC system time on the host, recorded when the host starts a telemetry logging session on the DUT (target device) -- **Identifier** Indicates the phase the ManufacturingPlatform is in. In FlashingPlatform, this field is empty. In FlashingDevice, it includes the DeviceUniqueId, and in an activity, it also includes the operation name. -- **MajorVersionUInt64** Refers to the major version of the host UFP binaries. -- **MinorVersionUInt64** Refers to the minor version of the host UFP binaries. -- **OperationName** The name of the operation the host is triggering a logging session on the DUT (target device) for. -- **ValueStr** The value to log. Described by field name and relevant to the event name. -- **ValueUInt64** The value to log. Described by field name and relevant to the event name. -- **ValueWideStr** The value to log. Described by field name and relevant to the event name. - - ## Microsoft Edge events -### Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config - -This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. - -The following fields are available: - -- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. -- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. -- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). -- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. -- **Channel** An integer indicating the channel of the installation (Canary or Dev). -- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. -- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. -- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. -- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. -- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. -- **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. -- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. -- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). -- **installSourceName** A string representation of the installation source. -- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. -- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. -- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. -- **pop_sample** A value indicating how the device's data is being sampled. -- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. -- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. -- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. - - -### Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config - -This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. - -The following fields are available: - -- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. -- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. -- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). -- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. -- **Channel** An integer indicating the channel of the installation (Canary or Dev). -- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. -- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. -- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. -- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. -- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. -- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. -- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. -- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). -- **installSourceName** A string representation of the installation source. -- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. -- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. -- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. -- **pop_sample** A value indicating how the device's data is being sampled. -- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. -- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. -- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. - - ### Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. @@ -4389,41 +3609,9 @@ The following fields are available: - **Channel** An integer indicating the channel of the installation (Canary or Dev). - **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. - **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. -- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. -- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. -- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. -- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). -- **installSourceName** A string representation of the installation source. -- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. -- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission. -- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level. -- **pop_sample** A value indicating how the device's data is being sampled. -- **reactivationBrandCode** Contains the 4 character reactivation brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. -- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade. -- **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. - - -### Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config - -This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure. - -The following fields are available: - -- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events. -- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version. -- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000). -- **brandCode** Contains the 4 character brand code or distribution tag that has been assigned to a partner. Not every Windows install will have a brand code. -- **Channel** An integer indicating the channel of the installation (Canary or Dev). -- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled. -- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth. -- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode. -- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. -- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. -- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [ExperimentationAndConfigurationServiceControl](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4453,10 +3641,13 @@ The following fields are available: - **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. - **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'. - **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. +- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'. - **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. +- **appLastLaunchTime** The time when browser was last launched. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply. - **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. - **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. @@ -4473,15 +3664,19 @@ The following fields are available: - **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. +- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply. - **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. - **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag. - **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'. - **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. - **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. - **eventType** A string indicating the type of the event. Please see the wiki for additional information. +- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. +- **hwDiskType** Device’s hardware disk type. - **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'. @@ -4489,8 +3684,11 @@ The following fields are available: - **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'. - **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'. - **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwLogicalCpus** Number of logical CPUs of the device. - **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'. - **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'. +- **oemProductManufacturer** The device manufacturer name. +- **oemProductName** The product name of the device defined by device manufacturer. - **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''. - **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''. - **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''. @@ -4510,6 +3708,41 @@ The following fields are available: - **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''. +### Microsoft.Edge.Crashpad.CrashEvent + +This event sends simple Product and Service Performance data on a crashing Microsoft Edge browser process to help mitigate future instances of the crash. + +The following fields are available: + +- **app_name** The name of the crashing process. +- **app_session_guid** Encodes the boot session, process id, and process start time. +- **app_version** The version of the crashing process. +- **client_id_hash** Hash of the browser client ID which helps identify installations. +- **etag** Encodes the running experiments in the browser. +- **module_name** The name of the module in which the crash originated. +- **module_offset** Memory offset into the module in which the crash originated. +- **module_version** The version of the module in which the crash originated. +- **process_type** The type of the browser process that crashed, e.g., renderer, gpu-process, etc. +- **stack_hash** Hash of the stack trace representing the crash. Currently not used or set to zero. +- **sub_code** The exception/error code representing the crash. + + +### Microsoft.Edge.Crashpad.HangEvent + +This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang. + +The following fields are available: + +- **app_name** The name of the hanging process. +- **app_session_guid** Encodes the boot session, process, and process start time. +- **app_version** The version of the hanging process. +- **client_id_hash** Hash of the browser client id to help identify the installation. +- **etag** Identifier to help identify running browser experiments. +- **hang_source** Identifies how the hang was detected. +- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc. +- **stack_hash** A hash of the hanging stack. Currently not used or set to zero. + + ## Migration events ### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr @@ -4558,26 +3791,6 @@ The following fields are available: - **Configs** Array of configs. -### Microsoft.Windows.OneSettingsClient.StateChange - -This event indicates the change in config state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **flightId** Flight id. -- **state** New state. - - -### Microsoft.Windows.OneSettingsClient.Status - -This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **flightId** Flight id. -- **time** Time. - - ## OOBE events ### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateExpeditionChoiceCommitted @@ -4600,16 +3813,6 @@ The following fields are available: - **skippedReasonFlag** Flag representing reason for skip. -### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStartUSOScan - -This event indicates USO Scan API call. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. - -The following fields are available: - -- **oobeExpeditedUpdateCommitOption** Expedited update commit work type. -- **resultCode** HR result of operation. - - ### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStatusResult This event provides status of expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. @@ -4649,40 +3852,6 @@ The following fields are available: - **userRegionCode** The current user's region setting -## Servicing API events - -### Microsoft.Windows.ServicingUAPI.ModifyFeaturesEnd - -This event sends Software Setup and Inventory data regarding the end of an operation to modify a feature. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. - -The following fields are available: - -- **Actions** A numeric flag that indicates whether the operations are Inbox. -- **ClientId** A unique, human-readable identifier for telemetry/diagnostic purposes. -- **Duration** Duration of operation in milliseconds. -- **Flags** A numeric flag indicating the type of operation being requested. -- **NetRequiredBytes** Net space required after operation completes or after reboot if operation requires one. -- **RebootRequired** A true or false value indicating if a reboot is required to complete the operation. -- **RequiredDownloadBytes** Space required to acquire content (compressed). -- **Result** HResult at operation end. -- **TotalMaxRequiredBytes** Total maximum space required during operation. - - -### Microsoft.Windows.ServicingUAPI.ModifyFeaturesResult - -This event sends Software Setup and Inventory data regarding a result that occurred during an operation to modify a feature. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. - -The following fields are available: - -- **ClientId** A unique, human-readable identifier for telemetry/diagnostic purposes. -- **FeatureIntentFlags** A numeric flag indicating the reason that the feature is being modified. -- **FeatureName** Feature name which includes language-specific version if in the Language namespace. -- **FeatureNewIntentFlags** A numeric flag indicating the new reason that the feature is absent or installed. -- **FeatureNewStateFlags** A numeric flag indicating the new state of the feature. -- **FeatureStateFlags** A numeric flag indicating the current state of the feature. -- **Result** HResult from operation to modify a feature. - - ## Setup events ### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStart @@ -4782,52 +3951,6 @@ The following fields are available: - **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. -## SIH events - -### SIHEngineTelemetry.EvalApplicability - -This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it. -- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it. -- **CachedEngineVersion** The engine DLL version that is being used. -- **EventInstanceID** A unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. -- **IsExecutingAction** If the action is presently being executed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). -- **SihclientVersion** The client version that is being used. -- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateID** A unique identifier for the action being acted upon. -- **WuapiVersion** The Windows Update API version that is currently installed. -- **WuaucltVersion** The Windows Update client version that is currently installed. -- **WuauengVersion** The Windows Update engine version that is currently installed. -- **WUDeviceID** The unique identifier controlled by the software distribution client. - - -### SIHEngineTelemetry.ExecuteAction - -This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CachedEngineVersion** The engine DLL version that is being used. -- **EventInstanceID** A unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **RebootRequired** Indicates if a reboot was required to complete the action. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). -- **SihclientVersion** The SIH version. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateID** A unique identifier for the action being acted upon. -- **WuapiVersion** The Windows Update API version. -- **WuaucltVersion** The Windows Update version identifier for SIH. -- **WuauengVersion** The Windows Update engine version identifier. -- **WUDeviceID** The unique identifier controlled by the software distribution client. - - ## Software update events ### SoftwareUpdateClientTelemetry.CheckForUpdates @@ -4839,54 +3962,29 @@ The following fields are available: - **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. - **AllowCachedResults** Indicates if the scan allowed using cached results. - **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BranchReadinessLevel** The servicing branch configured on the device. - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **IPVersion** Indicates whether the download took place over IPv4 or IPv6 - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. - **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete - **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked - **NumberOfLoop** The number of round trips the scan required - **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan - **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan - **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. - **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan @@ -4896,90 +3994,43 @@ The following fields are available: - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). - **SyncType** Describes the type of scan the event was - **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TargetReleaseVersion** The value selected for the target release version policy. - **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -### SoftwareUpdateClientTelemetry.Commit - -This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClassificationId** Classification identifier of the update content. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateId** Identifier associated with the specific piece of content - - ### SoftwareUpdateClientTelemetry.Download This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date. The following fields are available: -- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download. -- **AppXScope** Indicates the scope of the app download. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. - **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. - **ClientVersion** The version number of the software distribution client. - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. - **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. - **DownloadProps** Information about the download operation properties in the form of a bitmask. - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. - **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." - **PackageFullName** The package name of the content. -- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. - **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. - **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific content has previously failed. - **RevisionNumber** The revision number of the specified piece of content. - **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **TotalExpectedBytes** The total count of bytes that the download is expected to be. - **UpdateId** An identifier associated with the specific piece of content. - **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedDO** Whether the download used the delivery optimization service. - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. @@ -5035,113 +4086,6 @@ The following fields are available: - **WUDeviceID** Unique device id controlled by the software distribution client -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -This is a revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - ### SoftwareUpdateClientTelemetry.TaskRun This is a start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -5158,55 +4102,6 @@ The following fields are available: - **WUDeviceID** Unique device ID controlled by the software distribution client. -### SoftwareUpdateClientTelemetry.Uninstall - -This is an uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** The mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - ### SoftwareUpdateClientTelemetry.UpdateDetected This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -5250,15 +4145,6 @@ The following fields are available: ## Surface events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **pszBatteryDataXml** Battery performance data. - - ### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. @@ -5537,6 +4423,271 @@ The following fields are available: - **totalUserTime** Total user mode time used by the job object. +### Microsoft.Windows.Shell.EM.EMCompleted + +Event that tracks the effectiveness of an operation to mitigate an issue on devices that meet certain requirements. + +The following fields are available: + +- **cleanUpScheduledTaskHR** The result of the operation to clean up the scheduled task the launched the operation. +- **eulaHashHR** The result of the operation to generate a hash of the EULA file that's currently on-disk. +- **mitigationHR** The result of the operation to take corrective action on a device that's impacted. +- **mitigationResult** The enumeration value representing the action that was taken on the device. +- **mitigationResultReason** The string value representing the action that was taken on the device. +- **mitigationSuccessWriteHR** The result of writing the success value to the registry. +- **region** The device's default region at the time of execution. +- **windowsVersionString** The version of Windows that was computed at the time of execution. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantInteractive + +An user action such as button click happens. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantInteractiveObjective** The objective of the action performed. +- **UpdateAssistantInteractiveUiAction** The action performed through UI. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantPostInstallDetails + +Information pertaining to post install phase of Update Assistant. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantPostInstallCV** Correlation vector for update assistant post install. +- **UpdateAssistantPostInstallUpgradeClientId** Client id post install. +- **UpdateAssistantPostInstallUserSignature** User signature of install. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStateGeneralErrorDetails + +Details about errors of current state. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantGeneralErrorHResult** HResult of current state. +- **UpdateAssistantGeneralErrorOriginalState** State name of current state. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantDwnldr.UpdateAssistantDownloadDetails + +Details about the Update Assistant ESD download. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The counter for all telemetry on the device. +- **UpdateAssistantDownloadCancelled** True when the ESD download is cancelled. +- **UpdateAssistantDownloadDownloadTotalBytes** The total size in bytes of the download. +- **UpdateAssistantDownloadEditionMismatch** True if downloaded ESD doesn't match edition. +- **UpdateAssistantDownloadESDEncrypted** True if ESD is encrypted. +- **UpdateAssistantDownloadIs10s** True if ESD is 10s. +- **UpdateAssistantDownloadMessage** Message from a completed or failed download. +- **UpdateAssistantDownloadMsgSize** Size of the download. +- **UpdateAssistantDownloadNEdition** True if ESD is N edition. +- **UpdateAssistantDownloadPath** Full path to the download. +- **UpdateAssistantDownloadPathSize** Size of the path. +- **UpdateAssistantDownloadProductsXml** Full path of products xml. +- **UpdateAssistantDownloadTargetEdition** The targeted edition for the download. +- **UpdateAssistantDownloadTargetLanguage** The targeted language for the download. +- **UpdateAssistantDownloadUseCatalog** True if update assistant is using catalog. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted + +This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** List of update IDs in progress. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteDownloadStarted + +This event indicates that the download phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdatesInProgress** A list of update IDs in progress. +- **ExpediteUsoLastError** The last error returned by USO. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr + +This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanCompleted + +This event sends results of the expedite USO scan. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CartPolicySetOnDevice** True if the cart policy is set for the device. +- **CV** Correlation vector. +- **ExpediteCbsServicingInProgressStatus** True if servicing is in progress in cbs for the device. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy ID of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteScheduledTaskCreated** Indicates whether the scheduled task was created (true/false). +- **ExpediteScheduledTaskHresult** HRESULT for scheduled task creation. +- **ExpediteUpdaterCurrentUbr** The UBR of the device. +- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. +- **ExpediteUpdaterMonitorResult** HRESULT of the USO monitoring. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **ExpediteUpdaterScanResult** HRESULT of the expedite USO scan. +- **ExpediteUpdaterUsoResult** HRESULT of the USO initialization and resume API calls. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted + +This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CartPolicySetOnDevice** True if the cart policy is set for a given device. +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The UBR of the device. +- **ExpediteUpdaterExpectedUbr** The expected UBR of the device. +- **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsCachedNotificationRetrieved + +This event is sent when a notification is received. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter that indicates ordering of events sent by the user. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsBlobNotificationNotEmpty** A boolean that is true if the blob notification has valid content. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. @@ -5550,6 +4701,62 @@ The following fields are available: - **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed + +This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Telemetry event counter. +- **PackageVersion** Version label of the package sending telemetry. +- **UpdateHealthToolsEnterpriseActionResult** Result of running the tool expressed as an HRESULT. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationCompleted + +This event is received when a push notification has been completed by the UpdateHealthTools service. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsEnterpriseActionResult** The HRESULT return by the enterprise action. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationReceived + +This event is received when the UpdateHealthTools service receives a push notification. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. +- **UpdateHealthToolsPushCurrentChannel** The channel used to receive notification. +- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. +- **UpdateHealthToolsPushCurrentStep** The current step for the push notification. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus + +This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of UpdateHealthTools. +- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device. +- **UpdateHealthToolsEnterpriseActionType** Enum describing the type of action requested by the push. +- **UpdateHealthToolsPushCurrentRequestId** The request ID for the push. +- **UpdateHealthToolsPushCurrentStep** The current step for the push notification + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date. @@ -5561,31 +4768,19 @@ The following fields are available: - **PackageVersion** The package version of the label. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted -## Update events - -### Update360Telemetry.DriverUpdateSummaryReport - -This event collects information regarding the state of devices and drivers on the system, following a reboot, after the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: -- **AnalysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during the analysis. -- **AppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **DevicePopulateErrorCount** The number of errors that occurred during the population of the list of all devices on the system, includes information such as, hardware ID, compatible ID. -- **ErrorCode** The error code returned. -- **FlightId** The flight ID for the driver manifest update. -- **ObjectId** The unique value for each diagnostics session. -- **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Indicates the result of the update. -- **ScenarioId** Indicates the update scenario. -- **SessionId** The unique value for each update session. -- **Summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. -- **TruncatedDeviceCount** The number of devices missing from the summary string due to there not being enough room in the string. -- **TruncatedDriverCount** The number of devices missing from the summary string due to there not being enough room in the string. -- **UpdateId** Unique ID for each update. +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of remediation. +## Update events + ### Update360Telemetry.Revert This event sends data relating to the Revert phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date. @@ -5604,7 +4799,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5621,7 +4816,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5666,7 +4861,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5688,7 +4883,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5710,7 +4905,6 @@ This event sends data for the install phase of updating Windows. The data collec The following fields are available: -- **CancelRequested** Boolean to indicate whether a cancel was requested. - **ErrorCode** The error code returned for the current install phase. - **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. - **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). @@ -5771,7 +4965,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5787,7 +4981,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5805,7 +4999,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5841,7 +5035,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -5947,7 +5141,7 @@ The following fields are available: ### Setup360Telemetry.OsUninstall -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, Windows 10, and Windows 11. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6013,12 +5207,12 @@ The following fields are available: ### Setup360Telemetry.PreDownloadUX -This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10, Windows 11 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -6057,7 +5251,7 @@ The following fields are available: ### Setup360Telemetry.PreInstallUX -This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, Windows 10, and Windows 11, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. The following fields are available: @@ -6155,7 +5349,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6309,80 +5503,375 @@ The following fields are available: - **timeStamp** The error time stamp as recorded in the error record. -## Windows Update CSP events +## Windows Store events -### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation -This event sends basic telemetry on the failure of the Feature Rollback. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. The following fields are available: -- **current** Result of currency check. -- **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure error code. -- **oSVersion** Build number of the device. -- **paused** Indicates whether the device is paused. -- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **sacDevice** This is the device info. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **CategoryId** The Item Category ID. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The product family name of the product being installed. +- **ProductId** The identity of the package or packages being installed. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. -### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds -This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. The following fields are available: -- **current** Result of currency check. -- **dismOperationSucceeded** Dism uninstall operation status. -- **oSVersion** Build number of the device. -- **paused** Indicates whether the device is paused. -- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **sacDevice** Represents the device info. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. -### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense -This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date. - - - -### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed - -This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. The following fields are available: -- **current** Result of currency check. -- **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure Error code. -- **oSVersion** Build number of the device. -- **paused** Indicates whether the device is paused. -- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **sacDevice** Release Channel. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **BundleId** The bundle ID +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. -### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload -This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. The following fields are available: -- **current** Result of currency check. -- **dismOperationSucceeded** Dism uninstall operation status. -- **oSVersion** Build number of the device. -- **paused** Indicates whether the device is paused. -- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **sacDevice** Device in the General Availability Channel. -- **wUfBConnected** Result of Windows Update for Business connection check. +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. -### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate -This event indicates that the Quality Rollback process has started. The data collected with this event is used to help keep Windows secure and up to date. +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.StateTransition + +Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure. + +The following fields are available: + +- **CatalogId** The ID for the product being installed if the product is from a private catalog, such as the Enterprise catalog. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **HResult** The resulting HResult error/success code of this operation. +- **NewState** The current fulfillment state of this product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginLastStage** The most recent product fulfillment step that the plug-in has reported (different than its state). +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **Prevstate** The previous fulfillment state of this product. +- **ProductId** Product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. ## Windows Update Delivery Optimization events @@ -6421,61 +5910,6 @@ The following fields are available: - **updateID** The ID of the update being downloaded. -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **background** Is the download a background download? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLedbat** The number of bytes received from source using an Ledbat enabled connection. -- **bytesFromLinkLocalPeers** The number of bytes received from local peers. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **cdnUrl** Url of the source Content Distribution Network (CDN). -- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion. -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **downloadModeReason** Reason for the download. -- **downloadModeSrc** Source of the DownloadMode setting. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **groupID** A GUID representing a custom group of devices. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. -- **isThrottled** Event Rate throttled (event represents aggregated data). -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. -- **numPeers** The total number of peers used for this download. -- **numPeersLocal** The total number of local peers used for this download. -- **predefinedCallerName** The name of the API Caller. -- **restrictedUpload** Is the upload restricted? -- **routeToCacheServer** The cache server setting, source, and value. -- **sessionID** The ID of the download session. -- **sessionTimeMs** The duration of the session, in milliseconds. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). - - ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. @@ -6719,34 +6153,18 @@ The following fields are available: - **WorkCompleted** A flag that indicates if work is completed. -### Microsoft.Windows.Update.Orchestrator.Client.MACUpdateInstallResult - -This event reports the installation result details of the MACUpdate expedited application. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **Completed** Indicates whether the installation is complete. -- **InstallFailureReason** Indicates the reason an install failed. -- **IsRetriableError** Indications whether the error is retriable. -- **OperationStatus** Returns the operation status result reported by the installation attempt. -- **Succeeded** Indicates whether the installation succeeded. -- **VelocityEnabled** Indicates whether the velocity tag for MACUpdate is enabled. - - ### Microsoft.Windows.Update.Orchestrator.UX.InitiatingReboot This event indicates that a restart was initiated in to enable the update process. The data collected with this event is used to help keep Windows up to date. The following fields are available: -- **correlationVector.c_str()** Represents the correlation vector. -- **isInteractive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action or not. -- **isOnAC** Indicates whether the device was on AC power when the restart was initiated. -- **isRebootOutsideOfActiveHours** is reboot outside active hours. -- **isRebootScheduledByUser** is reboot scheduled by user. -- **reduceDisruptionFlagSet** Indicates whether the disruptless overnight reboot behavior is enabled. -- **updateIdList** list of Update ID. -- **wokeToRestart** whether the device woke to perform the restart. +- **isInteractive** Indicates reboot initiation stage of the update process was entered as a result of user action or not, to determine actions needed to keep Windows up to date. +- **isOnAC** Whether the device is on AC power when the restart was initiated. +- **isRebootOutsideOfActiveHours** Is reboot outside active hours. +- **isRebootScheduledByUser** Is reboot scheduled by user. +- **updateIdList** List of Update ID. +- **wokeToRestart** Whether the device woke to perform the restart. ### Microsoft.Windows.Update.Orchestrator.UX.RebootFailed @@ -6756,12 +6174,22 @@ This event indicates that the reboot failed and the update process failed to det The following fields are available: - **batteryLevel** Battery level percentage. -- **correlationVector.c_str()** correlation vector. - **error** error for reboot failed. - **isRebootOutsideOfActiveHours** Indicates the timing that the failed reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date. - **updateIdList** List of update ids. +### Microsoft.Windows.Update.Orchestrator.Worker.EulaAccepted + +Indicates that EULA for an update has been accepted. + +The following fields are available: + +- **publisherIntent** Publisher Intent id associated with the update. +- **reason** Reason for EULA acceptance. +- **update** Update for which EULA has been accepted. See [update](#update). + + ### Microsoft.Windows.Update.Orchestrator.Worker.OobeUpdateApproved This event signifies an update being approved around the OOBE time period. The data collected with this event is used to help keep Windows secure and up to date. @@ -6785,1193 +6213,12 @@ The following fields are available: - **freeDiskSpaceInMB** Amount of free disk space. - **interactive** Informs if this action is caused due to user interaction. - **priority** The CPU and IO priority this action is being performed on. -- **provider** The provider that is being invoked to perform this action (Windows Update , Legacy UO Provider etc.). +- **provider** The provider that is being invoked to perform this action (Windows Update, Legacy UO Provider etc.). - **update** Update related metadata including UpdateId. - **uptimeMinutes** Duration USO for up for in the current boot session. - **wilActivity** Wil Activity related information. -### Microsoft.Windows.Update.WUClient.CheckForUpdatesCanceled - -This event checks for updates canceled on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. -- **EventInstanceID** A globally unique identifier for event instance. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business target version is enabled on the device. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. -- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. -- **NumberOfLoop** Number of roundtrips the scan required. -- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. -- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. -- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **ScanDurationInSeconds** Number of seconds the scan took to complete. -- **ScanEnqueueTime** Number of seconds it took to initialize the scan. -- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **ServiceUrl** Environment URL for which a device is configured to scan. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). -- **TotalNumMetadataSignatures** The detected version of the self healing engine that is currently downloading or downloaded. -- **WUDeviceID** The detected version of the self healing engine that is currently downloading or downloaded. - - -### Microsoft.Windows.Update.WUClient.CheckForUpdatesFailed - -This event checks for failed updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **CapabilityDetectoidGuid** GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the CDN's location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverError** The error code hit during a driver scan, or 0 if no error was hit. -- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. -- **EventInstanceID** A globally unique identifier for event instance. -- **ExtendedMetadataCabUrl** URL for the extended metadata cab. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FailedUpdateGuids** GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** Number of updates that failed to be evaluated during the scan. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business target version is enabled on the device. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. -- **MSIError** The last error encountered during a scan for updates. -- **NetworkConnectivityDetected** 0 when IPv4 is detected, 1 when IPv6 is detected. -- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. -- **NumberOfLoop** Number of roundtrips the scan required. -- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. -- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. -- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **ScanDurationInSeconds** Number of seconds the scan took to complete. -- **ScanEnqueueTime** Number of seconds it took to initialize the scan. -- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **ServiceUrl** Environment URL for which a device is configured to scan. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult.). -- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). -- **TotalNumMetadataSignatures** The detected version of the self healing engine that is currently downloading or downloaded. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.CheckForUpdatesRetry - -This event checks for update retries on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DriverSyncPassPerformed** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **ExtendedStatusCode** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. -- **FeatureUpdatePause** Failed Parse actions. -- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. -- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. -- **NumberOfLoop** Number of roundtrips the scan required. -- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. -- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. -- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **ScanDurationInSeconds** Number of seconds the scan took to complete. -- **ScanEnqueueTime** Number of seconds it took to initialize the scan. -- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **ServiceUrl** Environment URL for which a device is configured to scan. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). -- **TotalNumMetadataSignatures** Total number of metadata signatures checks done for new metadata synced down. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.CheckForUpdatesScanInitFailed - -This event checks for failed update initializations on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.CheckForUpdatesServiceRegistrationFailed - -This event checks for updates for failed service registrations the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **Context** Context of failure. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.CheckForUpdatesStarted - -This event checks for updates started on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **EventInstanceID** A globally unique identifier for event instance. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Flag indicated is Windows Update for Business FederatedScan is disabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.CheckForUpdatesSucceeded - -This event checks for successful updates on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActivityMatchingId** Unique identifier for a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **BranchReadinessLevel** Servicing branch train configured on the device (CB, CBB, none). -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** UpdateIds which are currently being deferred until a later time. -- **DriverExclusionPolicy** Indicates if policy for not including drivers with Windows Update (WU) updates is enabled. -- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. -- **EventInstanceID** A globally unique identifier for event instance. -- **ExcludedUpdateClasses** Update classifications being excluded via policy. -- **ExcludedUpdates** UpdateIds which are currently being excluded via policy. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdateDeferral** Deferral period configured for feature OS updates on the device, in days. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePeriod** Pause duration configured for feature OS updates on the device, in days. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6). -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. -- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete. -- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked. -- **NumberOfLoop** Number of roundtrips the scan required. -- **NumberOfNewUpdatesFromServiceSync** Number of updates which were seen for the first time in this scan. -- **NumberOfUpdatesEvaluated** Number of updates evaluated by the scan. -- **NumFailedMetadataSignatures** Number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** UpdateIds which are currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, datetime for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, datetime for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, datetime for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, datetime for the beginning of the pause time window. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdateDeferral** Deferral period configured for quality OS updates on the device, in days. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** Pause duration configured for quality OS updates on the device, in days. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **ScanDurationInSeconds** Number of seconds the scan took to complete. -- **ScanEnqueueTime** Number of seconds it took to initialize the scan. -- **ScanProps** This will be a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits will be used; all remaining bits will be reserved and set to zero. Bit 0 (0x1): IsInteractive -- will be set to 1 if the scan is requested by a user, or to 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker -- will be set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **ServiceUrl** Environment URL for which a device is configured to scan. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan for this event (1-Full Sync, 2-Delta Sync, 3-Full CatScan Sync, 4-Delta CatScan Sync). -- **TargetReleaseVersion** For drivers targeted to a specific device model, this is the version release of the drivers being distributed to the device. -- **TotalNumMetadataSignatures** Total number of metadata signatures checks done for new metadata synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete the operation. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.CommitFailed - -This event checks for failed commits on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. -- **ExtendedStatusCode** Possible values are "Child", "Bundle", "Release" or "Driver". -- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateId** Identifier associated with the specific piece of content. - - -### Microsoft.Windows.Update.WUClient.CommitStarted - -This event tracks the commit started event on the Windows Update client. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateId** Identifier associated with the specific piece of content. - - -### Microsoft.Windows.Update.WUClient.CommitSucceeded - -This event is used to track the commit succeeded process, after the update installation, when the software update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **EventType** Indicates the purpose of the event - whether scan started, succeeded, failed, etc. -- **ExtendedStatusCode** Possible values are "Child", "Bundle", "Release" or "Driver". -- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **HandlerType** The specific id of the flight the device is getting. -- **RevisionNumber** Indicates the kind of content (app, driver, windows patch, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateId** Identifier associated with the specific piece of content. - - -### Microsoft.Windows.Update.WUClient.DownloadCanceled - -This event tracks the download canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActiveDownloadTime** Identifies the active total transferring time in seconds. -- **AppXBlockHashFailures** Number of block hash failures. -- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - Only the content required to launch the app is being downloaded "AutomaticContentOnly" - Only the optional [automatic] content for the app, i.e. the ones that can downloaded after the app has been launched, is being downloaded "AllContent" - All content for the app, including the optional [automatic] content, is being downloaded. -- **BundleBytesDownloaded** Number of bytes downloaded for bundle. -- **BundleId** Name of application making the Windows Update request. Used to identify context of request. -- **BundleRepeatFailCount** Identifies the number of repeated download failures. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Identifies the number of bytes downloaded. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **CancelReason** Reason why download is canceled. -- **CbsMethod** Identifies the CBS SelfContained method. -- **CDNCountryCode** CDN country identifier. -- **CDNId** CDN Identifier. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **ConnectTime** Identifies the total connection time in milliseconds. -- **DownloadPriority** Indicates the priority of the download activity. -- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). -- **DownloadStartTime** Identifies the download start time. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HostName** Identifies the hostname. -- **IPVersion** Identifies the IP Connection Type version. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **NetworkCost** Identifies the network cost. -- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted. -- **PackageFullName** Package name of the content. -- **PostDnldTime** Identifies the delay after last job in seconds. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Identifies repeated download failure count. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SizeCalcTime** Identifies time taken for payload size calculation. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TotalExpectedBytes** Identifies the total expected download bytes. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedDO** Identifies if used DO. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.DownloadFailed - -This event tracks the download failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActiveDownloadTime** Identifies the active total transferring time in seconds. -- **AppXBlockHashFailures** Number of block hash failures. -- **AppXScope** Identifies streaming app phase. -- **BundleBytesDownloaded** Number of bytes downloaded for bundle. -- **BundleId** Name of application making the Windows Update request. Used to identify context of request. -- **BundleRepeatFailCount** Identifies the number of repeated download failures. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Identifies the number of bytes downloaded. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **CbsMethod** Identifies the CBS SelfContained method. -- **CDNCountryCode** Identifies the source CDN country code. -- **CDNId** CDN Identifier. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **ConnectTime** Identifies the total connection time in milliseconds. -- **DownloadPriority** Indicates the priority of the download activity. -- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). -- **DownloadStartTime** Identifies the download start time. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HostName** Identifies the hostname. -- **IPVersion** Identifies the IP Connection Type version. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **NetworkCost** Identifies the network cost. -- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted. -- **PackageFullName** The package name of the content. -- **PostDnldTime** Identifies the delay after last job in seconds. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Identifies repeated download failure count. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SizeCalcTime** Identifies time taken for payload size calculation. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TotalExpectedBytes** Identifies the total expected download bytes. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedDO** Identifies if used DO. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.DownloadQueued - -This event tracks the download queued event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DownloadPriority** Indicates the priority of the download activity. -- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** Regulation reason of why queued. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.DownloadStarted - -This event tracks the download started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DownloadPriority** Indicates the priority of the download activity. -- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.DownloadSucceeded - -This event tracks the successful download event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn’t actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. -- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - Only the content required to launch the app is being downloaded "AutomaticContentOnly" - Only the optional [automatic] content for the app, i.e. the ones that can downloaded after the app has been launched, is being downloaded "AllContent" - All content for the app, including the optional [automatic] content, is being downloaded. -- **BundleBytesDownloaded** Indicates the bytes downloaded for bundle. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Identifies the number of repeated download failures. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle). -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. This value can be one of the following: 1. Express download method was used for download. 2. SelfContained download method was used for download indicating the update had no express content. 3. SelfContained download method was used indicating that the update has an express payload, but the server is not hosting it. 4. SelfContained download method was used indicating that range requests are not supported. 5. SelfContained download method was used indicating that the system does not support express download (dpx.dll is not present). 6. SelfContained download method was used indicating that self-contained download method was selected previously. 7. SelfContained download method was used indicating a fall back to self-contained if the number of requests made by DPX exceeds a certain threshold. -- **CDNCountryCode** Two letter country abbreviation for the CDN's location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **ConnectTime** Indicates the cumulative sum (in seconds) of how long it took to establish the connection for all updates in an update bundle. -- **DownloadPriority** Indicates the priority of the download activity. -- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). -- **DownloadStartTime** Start time in FILETIME for the download. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6) -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network being used for downloading the update content. That could be one of the following values0x0 : Unkown0x1 : Network cost is unrestricted0x2 : Network cost is fixed0x4 : Network cost is variable0x10000 : Network cost over data limit0x20000 : Network cost congested0x40000 : Network cost roaming0x80000 : Network cost approaching data limit. -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be “metered”. -- **PackageFullName** The package name of the content. -- **PostDnldTime** Time taken, in seconds, to signal download completion after the last job has completed downloading payload. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SizeCalcTime** Time taken, in seconds, to calculate the total download size of the payload. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TotalExpectedBytes** Total count of bytes that the download is expected (total size of the download.). -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedDO** Indicates whether the download used the delivery optimization service. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.DownloadSwitchingToBITS - -This event tracks the download switching to BITS event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Name of application making the Windows Update request. Used to identify context of request. -- **BundleRevisionNumber** Identifies the number of repeated download failures. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DownloadPriority** Indicates the priority of the download activity. -- **DownloadProps** Indicates a bitmask for download operations indicating 1. If an update was downloaded to a system volume (least significant bit i.e. bit 0) 2. If the update was from a channel other than the installed channel (bit 1) 3. If the update was for a product pinned by policy (bit 2) 4. If the deployment action for the update is uninstall (bit 3). -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.InstallCanceled - -This event tracks the install canceled event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **MsiAction** Stage of MSI installation where it failed. -- **MsiProductCode** Unique identifier of the MSI installer. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** ID which represents a given MSI installation. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.InstallFailed - -This event tracks the install failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **MsiAction** Stage of MSI installation where it failed. -- **MsiProductCode** Unique identifier of the MSI installer. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** ID which represents a given MSI installation. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.InstallRebootPending - -This event tracks the install reboot pending event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **MsiAction** Stage of MSI installation where it failed. -- **MsiProductCode** Unique identifier of the MSI installer. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** ID which represents a given MSI installation. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.InstallStarted - -The event tracks the install started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **MsiAction** Stage of MSI installation where it failed. -- **MsiProductCode** Unique identifier of the MSI installer. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** ID which represents a given MSI installation. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.InstallSucceeded - -The event tracks the successful install event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **InstallProps** A bitmask for future flags associated with the install operation. There is no value being reported in this field right now. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **MsiAction** Stage of MSI installation where it failed. -- **MsiProductCode** Unique identifier of the MSI installer. -- **PackageFullName** The package name of the content. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** ID which represents a given MSI installation. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.RevertFailed - -This event tracks the revert failed event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.RevertStarted - -This event tracks the revert started event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.RevertSucceeded - -The event tracks the successful revert event when the update client is trying to update the device. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle had previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClassificationId** Classification identifier of the update content. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation where it failed. -- **DeploymentMutexId** Mutex identifier of the deployment operation. -- **DeploymentProviderHostModule** Name of the module which is hosting the Update Deployment Provider for deployment operation. -- **DeploymentProviderMode** Mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers which could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of that flight. -- **FlightId** The specific id of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content had previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClient.UpdateDetected - -This event tracks the update detected event when the software update client is trying to update the device. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClientExt.DataStoreHealth - -This event tracks the health of the data store. The data store stores updated metadata synced from the update services, service endpoint information synced from SLS services, and in-progress update data so the update client can continue to serve after reboot. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **EventScenario** Indicates the purpose of the event, for example, whether the scan started, succeeded or failed. -- **StatusCode** The result code of the event (success, cancellation, failure code HResult). - - -### Microsoft.Windows.Update.WUClientExt.DownloadCheckpoint - -This is a checkpoint event between the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **FileId** Unique identifier for the downloaded file. -- **FileName** Name of the downloaded file. -- **FlightId** The specific id of the flight the device is getting. -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateId** Identifier associated with the specific piece of content. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClientExt.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content. -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat. -- **CurrentError** Last (transient) error encountered by the active download. -- **DownloadFlags** Flags indicating if power state is ignored. -- **DownloadState** Current state of the active download for this content (queued, suspended, progressing). -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting. -- **IsNetworkMetered** Indicates whether Windows considered the current network to be “metered”. -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any. -- **MOUpdateDownloadLimit** Mobile operator cap on size of OS update downloads, if any. -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, Connected Standby). -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. -- **ResumeCount** Number of times this active download has resumed from a suspended state. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SuspendCount** Number of times this active download has entered a suspended state. -- **SuspendReason** Last reason for which this active download has entered suspended state. -- **UpdateId** Identifier associated with the specific piece of content. -- **WUDeviceID** Unique device id controlled by the software distribution client. - - -### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrity - -This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** Endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. -- **ListOfSHA256OfIntermediateCerData** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. -- **MetadataIntegrityMode** Base64 string of the signature associated with the update metadata (specified by revision id). -- **MetadataSignature** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. -- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. -- **RawValidityWindowInDays** Raw unparsed mode string from the SLS response. May be null if not applicable. -- **RevisionId** Identifies the revision of this specific piece of content. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SHA256OfLeafCerData** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. -- **SHA256OfLeafCertPublicKey** Base64 string of hash of the leaf cert public key. -- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob. -- **SignatureAlgorithm** Hash algorithm for the metadata signature. -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. -- **UpdateId** Identifier associated with the specific piece of content. -- **ValidityWindowInDays** Validity window in days. - - -### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityFragmentSigning - -This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Field indicating the sub-phase event scenario. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. -- **ListOfSHA256OfIntermediateCerData** List of Base64 string of hash of intermediate cert data. -- **MetadataIntegrityMode** Base64 string of the signature associated with the update metadata (specified by revision id). -- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. -- **RawValidityWindowInDays** Raw unparsed string of validity window in effect when verifying the timestamp. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SHA256OfLeafCerData** Base64 string of hash of the leaf cert data. -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). - - -### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegritySignature - -This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Field indicating the sub-phase event scenario. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce. -- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id). -- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. -- **RevisionId** Identifies the revision of this specific piece of content. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SHA256OfLeafCertPublicKey** Base64 string of hash of the leaf cert public key. -- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob. -- **SignatureAlgorithm** Hash algorithm for the metadata signature. -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is malformed and decoding failed. -- **UpdateId** Identifier associated with the specific piece of content. - - -### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityTimestamp - -This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **RawMode** Raw unparsed mode string from the SLS response. Null if not applicable. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). -- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob. -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. -- **ValidityWindowInDays** Validity window in effect when verifying the timestamp. - - ### Microsoft.Windows.Update.WUClientExt.UUSLoadModuleFailed This is the UUSLoadModule failed event and is used to track the failure of loading an undocked component. The data collected with this event is used to help keep Windows up to date and secure. @@ -7981,7 +6228,6 @@ The following fields are available: - **LoadProps** A bitmask for flags associated with loading the undocked module. - **ModulePath** Path of the undocked module. - **ModuleVersion** Version of the undocked module. -- **PinkyFlags** PinkyFlags used to create the UUS session. - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one. - **StatusCode** Result of the undocked module loading operation. - **UusSessionID** Unique ID used to create the UUS session. @@ -8018,6 +6264,23 @@ The following fields are available: - **CommandLine** The command line used to launch RUXIMICS. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ETagValue** eTag for sync. +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + ### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -8032,68 +6295,8 @@ The following fields are available: - **WasPresented** True if the user interaction campaign is displayed to the user. -### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit - -This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. - - -### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch - -This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **CommandLine** The command line used to launch RUXIMIH. -- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. - -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - ## Windows Update mitigation events -### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ActivityError - -This event provides information for error encountered when enabling In-Place Upgrade. The data collected with this event is used to help keep Windows secure. - -The following fields are available: - -- **wilActivity** Result of the attempt to enable In-Place Upgrade. See [wilActivity](#wilactivity). - - -### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshooting - -This event provides information for the operation of enabling In-Place Upgrade. The data collected with this event is used to help keep Windows secure. - -The following fields are available: - -- **wilActivity** Result of the attempt to enable In-Place Upgrade. See [wilActivity](#wilactivity). - - ### Microsoft.Windows.Mitigations.AllowInPlaceUpgrade.ApplyTroubleshootingComplete This event provides summary information after attempting to enable In-Place Upgrade. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -8135,7 +6338,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8157,7 +6360,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. @@ -8227,18 +6430,6 @@ The following fields are available: - **SoftReserveUsedSpace** The amount of the soft reserve used when end scenario is called. -### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError - -This event is sent when the Update Reserve Manager returns an error from one of its internal functions. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **FailedFile** The binary file that contained the failed function. -- **FailedFunction** The name of the function that originated the failure. -- **FailedLine** The line number of the failure. -- **ReturnCode** The return code of the function. - - ### Microsoft.Windows.UpdateReserveManager.InitializeReserves This event is sent when reserves are initialized on the device. The data collected with this event is used to help keep Windows secure and up to date. @@ -8334,4 +6525,4 @@ The following fields are available: - **Disposition** The parameter for the hard reserve adjustment function. - **Flags** The flags passed to the hard reserve adjustment function. - **PendingHardReserveAdjustment** The final change to the hard reserve size. -- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. \ No newline at end of file +- **UpdateType** Indicates whether the change is an increase or decrease in the size of the hard reserve. From e3f614c777351b3fad9c1b0fc52a6d84e4d8c9cf Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 15:44:16 -0700 Subject: [PATCH 066/106] Fix broken links --- ...windows-11-diagnostic-events-and-fields.md | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 12ca6c8f39..40103dee45 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -1890,7 +1890,7 @@ The following fields are available: - **appResult** The AppResult for the CXH OOBE scenario, e.g. "success" or "fail". This is logged on scenario completion, i.e. with the stop event. - **experience** A JSON blob containing properties pertinent for the CXH scenario launch, with PII removed. Examples: host, port, protocol, surface. Logged on the start event. - **source** The scenario for which CXH was launched. Since this event is restricted to OOBE timeframe, this will be FRXINCLUSIVE or FRXOOBELITE. Logged with the start event. -- **wilActivity** Common data logged with all Wil activities. See [wilActivity](#wilactivity). +- **wilActivity** Common data logged with all Wil activities. ## Code Integrity events @@ -1916,7 +1916,7 @@ Fires at the beginning and end of the HVCI auto-enablement process in sysprep. The following fields are available: -- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. See [wilActivity](#wilactivity). +- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed @@ -2160,6 +2160,19 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. ## Component-based servicing events @@ -2860,7 +2873,7 @@ The following fields are available: - **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion. - **PackageVersion** Windows Mixed Reality Portal app package version. - **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state. -- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity). +- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. ### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming @@ -6187,7 +6200,7 @@ The following fields are available: - **publisherIntent** Publisher Intent id associated with the update. - **reason** Reason for EULA acceptance. -- **update** Update for which EULA has been accepted. See [update](#update). +- **update** Update for which EULA has been accepted. ### Microsoft.Windows.Update.Orchestrator.Worker.OobeUpdateApproved From bc39e0013cacd2011cf56d933501e376f7613deb Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 16:21:23 -0700 Subject: [PATCH 067/106] Metadata updates --- windows/privacy/Microsoft-DiagnosticDataViewer.md | 7 ++----- ...-level-windows-diagnostic-events-and-fields-1703.md | 5 ++--- ...-level-windows-diagnostic-events-and-fields-1709.md | 5 ++--- ...-level-windows-diagnostic-events-and-fields-1803.md | 5 ++--- ...-level-windows-diagnostic-events-and-fields-1903.md | 6 ++---- .../changes-to-windows-diagnostic-data-collection.md | 6 ++---- ...ure-windows-diagnostic-data-in-your-organization.md | 9 +++------ windows/privacy/diagnostic-data-viewer-overview.md | 10 +++------- ...gnostic-data-windows-analytics-events-and-fields.md | 7 ++----- .../essential-services-and-connected-experiences.md | 4 ++-- windows/privacy/index.yml | 7 ++----- ...ystem-components-to-microsoft-services-using-MDM.md | 5 ++--- ...perating-system-components-to-microsoft-services.md | 10 +++------- windows/privacy/manage-windows-11-endpoints.md | 6 ++---- windows/privacy/manage-windows-1809-endpoints.md | 8 ++------ windows/privacy/manage-windows-1903-endpoints.md | 6 ++---- windows/privacy/manage-windows-1909-endpoints.md | 6 ++---- windows/privacy/manage-windows-2004-endpoints.md | 6 ++---- windows/privacy/manage-windows-20H2-endpoints.md | 6 ++---- windows/privacy/manage-windows-21H1-endpoints.md | 6 ++---- windows/privacy/manage-windows-21h2-endpoints.md | 6 ++---- ...equired-diagnostic-events-fields-windows-11-22H2.md | 6 ++---- ...d-windows-diagnostic-data-events-and-fields-2004.md | 9 +++------ windows/privacy/windows-10-and-privacy-compliance.md | 6 ++---- .../windows-11-endpoints-non-enterprise-editions.md | 6 ++---- windows/privacy/windows-diagnostic-data-1703.md | 7 ++----- windows/privacy/windows-diagnostic-data.md | 10 +++------- .../windows-endpoints-1809-non-enterprise-editions.md | 7 ++----- .../windows-endpoints-1903-non-enterprise-editions.md | 6 ++---- .../windows-endpoints-1909-non-enterprise-editions.md | 4 ---- .../windows-endpoints-2004-non-enterprise-editions.md | 6 ++---- .../windows-endpoints-20H2-non-enterprise-editions.md | 6 ++---- .../windows-endpoints-21H1-non-enterprise-editions.md | 6 ++---- 33 files changed, 69 insertions(+), 146 deletions(-) diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 0876168a21..6638ac61ee 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -1,16 +1,13 @@ --- title: Diagnostic Data Viewer for PowerShell Overview (Windows 10) description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy --- # Diagnostic Data Viewer for PowerShell Overview diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index d223a6c0eb..584e2472e5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1,14 +1,13 @@ --- description: Learn more about the Windows 10, version 1703 diagnostic data gathered at the basic level. title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10) -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.technology: privacy --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index a2c1dc626d..0285ca22aa 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1,14 +1,13 @@ --- description: Learn more about the Windows 10, version 1709 diagnostic data gathered at the basic level. title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.technology: privacy --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 3f5ec6ca08..794b8a6d92 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1,14 +1,13 @@ --- description: Learn more about the Windows 10, version 1803 diagnostic data gathered at the basic level. title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10) -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.technology: privacy --- diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index a4b2b137a0..91ed7830b8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -1,15 +1,13 @@ --- description: Learn more about the Windows 10, version 1903 diagnostic data gathered at the basic level. title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10) -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: -ms.technology: privacy --- diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index e63e7f1322..4495bae43a 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -1,15 +1,13 @@ --- title: Changes to Windows diagnostic data collection description: This article provides information on changes to Windows diagnostic data collection Windows 10 and Windows 11. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Changes to Windows diagnostic data collection diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 54a53c7426..9d0a698060 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,17 +1,14 @@ --- description: Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. title: Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: - - M365-security-compliance - - highpri +ms.collection: highpri ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Configure Windows diagnostic data in your organization diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index ccc46b0a6d..4a768201a7 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -1,18 +1,14 @@ --- title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11) description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: - - M365-security-compliance - - highpri +ms.collection: highpri ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy --- # Diagnostic Data Viewer Overview diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 4bac4f9032..982a48f7f5 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -1,16 +1,13 @@ --- title: Enhanced diagnostic data required by Windows Analytics (Windows 10) description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy --- diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 64119e56a4..56f401b3c6 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -1,12 +1,12 @@ --- title: Essential services and connected experiences for Windows description: Explains what the essential services and connected experiences are for Windows -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.technology: privacy ms.collection: highpri --- diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index dee456d738..ae7788c4a1 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -7,12 +7,9 @@ brand: m365 metadata: title: Windows Privacy description: Learn about how privacy is managed in Windows. - services: windows - ms.prod: windows + ms.prod: windows-client ms.topic: hub-page # Required - ms.collection: - - M365-security-compliance - - highpri + ms.collection: highpri author: DHB-MSFT ms.author: danbrown manager: dougeby diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 4cf92acefc..b06310788f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -1,13 +1,12 @@ --- title: Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server description: Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 7fcd6fb74b..ee631755a6 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1,18 +1,14 @@ --- title: Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections. -ms.reviewer: -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: - - M365-security-compliance - - highpri +ms.collection: highpri ms.topic: article -ms.date: 12/14/2021 -ms.technology: privacy --- # Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 3e7ac5829b..1633afaa86 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -1,15 +1,13 @@ --- title: Connection endpoints for Windows 11 Enterprise description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connection endpoints for Windows 11 Enterprise diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index eb95151983..4ce066cee1 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -1,17 +1,13 @@ --- title: Connection endpoints for Windows 10, version 1809 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1809. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: -ms.technology: privacy - --- # Manage connection endpoints for Windows 10 Enterprise, version 1809 diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 40b10d7787..b9574d92f2 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -1,15 +1,13 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 1903 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1903. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connection endpoints for Windows 10 Enterprise, version 1903 diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index cfdf8bdd5d..a8ed4e5e01 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -1,15 +1,13 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 1909 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1909. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connection endpoints for Windows 10 Enterprise, version 1909 diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index fbdb65cb57..58dda9f87d 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -1,15 +1,13 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 2004 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 2004. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connection endpoints for Windows 10 Enterprise, version 2004 diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index 1aca2568d3..a4b5c3dcc6 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -1,15 +1,13 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 20H2 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 20H2. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connection endpoints for Windows 10 Enterprise, version 20H2 diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 844afb43a7..753fad6ce5 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -1,15 +1,13 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 21H1 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H1. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connection endpoints for Windows 10 Enterprise, version 21H1 diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index 23f5dcb20a..f07efac32e 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -1,15 +1,13 @@ --- title: Connection endpoints for Windows 10 Enterprise, version 21H2 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.technology: privacy --- # Manage connection endpoints for Windows 10 Enterprise, version 21H2 diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index a0b4351043..8be4196bcb 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -2,15 +2,13 @@ description: Learn more about the Windows 11, version 22H2 diagnostic data gathered. title: Required diagnostic events and fields for Windows 11, version 22H2 keywords: privacy, telemetry -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -audience: ITPro -ms.date: 09/20/2022 --- diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 339c597a08..2931a62db5 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,17 +1,14 @@ --- description: Learn more about the required Windows 10 diagnostic data gathered. title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: - - M365-security-compliance - - highpri +ms.collection: highpri ms.topic: article -ms.date: -ms.technology: privacy --- diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index e4e7e22ec9..e3c49d3cbd 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -1,15 +1,13 @@ --- title: Windows Privacy Compliance Guide description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.technology: privacy --- # Windows Privacy Compliance:
    A Guide for IT and Compliance Professionals diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index d24d978945..c39555ffe6 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -1,15 +1,13 @@ --- title: Windows 11 connection endpoints for non-Enterprise editions description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.technology: privacy --- # Windows 11 connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index 2651ae6d53..5ce38f257d 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -1,16 +1,13 @@ --- title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10) description: Use this article to learn about the types of data that is collected the Full diagnostic data level. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.reviewer: -ms.technology: privacy --- # Windows 10 diagnostic data for the Full diagnostic data level diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 12ab817b8c..eac9f2f9b7 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -1,18 +1,14 @@ --- title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10) description: Use this article to learn about the types of optional diagnostic data that is collected. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: - - M365-security-compliance - - highpri +ms.collection: highpri ms.topic: article -ms.reviewer: -ms.technology: privacy - --- # Windows 10, version 1709 and later and Windows 11 optional diagnostic data diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index 94356eae38..b57dba81f4 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -1,16 +1,13 @@ --- title: Windows 10, version 1809, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1809. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.reviewer: -ms.technology: privacy --- # Windows 10, version 1809, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index d98d8fa989..c062520432 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -1,15 +1,13 @@ --- title: Windows 10, version 1903, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1903. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.technology: privacy --- # Windows 10, version 1903, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 3608b11804..6926232bb7 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -1,15 +1,11 @@ --- title: Windows 10, version 1909, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1909. -ms.prod: m365-security ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.technology: privacy --- # Windows 10, version 1909, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md index 4b4f07c78f..97a017647b 100644 --- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md @@ -1,15 +1,13 @@ --- title: Windows 10, version 2004, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 2004. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.technology: privacy --- # Windows 10, version 2004, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md index ec38d80ece..e60e1d97e7 100644 --- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md @@ -1,15 +1,13 @@ --- title: Windows 10, version 20H2, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 20H2. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.technology: privacy --- # Windows 10, version 20H2, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md index 2923d95d74..f48389c056 100644 --- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -1,15 +1,13 @@ --- title: Windows 10, version 21H1, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 21H1. -ms.prod: m365-security +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/01/2021 -ms.technology: privacy --- # Windows 10, version 21H1, connection endpoints for non-Enterprise editions From ddff1c4e97fd7b2d3487c86efe7e870021b18fe4 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 16:53:07 -0700 Subject: [PATCH 068/106] Miscellaneous updates --- ...el-windows-diagnostic-events-and-fields-1703.md | 8 ++++---- ...el-windows-diagnostic-events-and-fields-1709.md | 8 ++++---- ...el-windows-diagnostic-events-and-fields-1803.md | 8 ++++---- ...el-windows-diagnostic-events-and-fields-1809.md | 12 ++++++------ ...el-windows-diagnostic-events-and-fields-1903.md | 14 +++++--------- ...red-diagnostic-events-fields-windows-11-22H2.md | 12 ++++++------ ...ired-windows-11-diagnostic-events-and-fields.md | 4 ++-- ...ndows-diagnostic-data-events-and-fields-2004.md | 13 +++++-------- ...ndows-endpoints-1909-non-enterprise-editions.md | 2 ++ 9 files changed, 38 insertions(+), 43 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 584e2472e5..dc91f14e6e 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1444,7 +1444,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -2482,7 +2482,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. See [HWID](#hwid). - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) +- **InstallState** The device installation state. For a list of values, see: [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -2547,7 +2547,7 @@ The following fields are available: - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package +- **DriverSigned** Is the driver signed? - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. @@ -4283,7 +4283,7 @@ The following fields are available: - **MsiProductCode** The unique identifier of the MSI installer. - **PackageFullName** The package name of the content being installed. - **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **PlatformRole** The PowerPlatformRole as defined on MSDN. +- **PlatformRole** The PowerPlatformRole. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM). - **QualityUpdatePause** Are quality OS updates paused on the device? diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 0285ca22aa..b26fc08415 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1375,7 +1375,7 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID - **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -1516,7 +1516,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -2527,7 +2527,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) +- **InstallState** The device installation state. For a list of values, see: [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -2603,7 +2603,7 @@ The following fields are available: - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package +- **DriverSigned** Is the driver signed? - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 794b8a6d92..83e1ec0e93 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1432,7 +1432,7 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID - **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -1573,7 +1573,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode.ration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -3471,7 +3471,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) +- **InstallState** The device installation state. For a list of values, see: [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -3547,7 +3547,7 @@ The following fields are available: - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package +- **DriverSigned** Is the driver signed? - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 700809831d..48527dd1c6 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2306,7 +2306,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -4821,7 +4821,7 @@ The following fields are available: - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx) +- **InstallState** The device installation state. For a list of values, see: [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state) - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -4920,7 +4920,7 @@ The following fields are available: - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package +- **DriverSigned** Is the driver signed? - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. @@ -6169,7 +6169,7 @@ The following fields are available: - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. - **RemediationShellDeviceProSku** Indicates whether a Windows 10 Professional edition is detected. - **RemediationShellDeviceQualityUpdatesPaused** Indicates whether Quality Updates are paused on the device. -- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. - **RemediationShellDeviceSedimentMutexInUse** Indicates whether the Sediment Pack mutual exclusion object (mutex) is in use. - **RemediationShellDeviceSetupMutexInUse** Indicates whether device setup is in progress. - **RemediationShellDeviceWuRegistryBlocked** Indicates whether the Windows Update is blocked on the device via the registry. @@ -9693,8 +9693,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed. - **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU. - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. -- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. -- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. +- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. +- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. - **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 91ed7830b8..16f2b162e1 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,11 +13,6 @@ ms.topic: article # Windows 10, version 1909 and Windows 10, version 1903 required Windows diagnostic events and fields - -> [!IMPORTANT] -> Windows is moving to classifying the data collected from customer’s devices as either *Required* or *Optional*. - - **Applies to** - Windows 10, version 1909 @@ -32,7 +27,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -2498,7 +2494,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -4998,7 +4994,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx). +- **InstallState** The device installation state. For a list of values, see [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state). - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -5097,7 +5093,7 @@ The following fields are available: - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package +- **DriverSigned** Is the driver signed? - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index 8be4196bcb..f965b48765 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -962,9 +962,9 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier ### Census.Memory @@ -1035,7 +1035,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -2187,7 +2187,7 @@ The following fields are available: ### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled -This event is the result of an attempt to cancel ZDP task +This event is the result of an attempt to cancel ZDP task. The following fields are available: @@ -2327,7 +2327,7 @@ The following fields are available: ### Microsoft.Surface.Battery.Prod.BatteryInfoEventV3 -Hardware level data about battery performance. +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -3319,7 +3319,7 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.Derived.ClientAggregated.LaunchPageDuration -Derived Event Results for LaunchPageDuration Scenario. +This event is derived event results for the LaunchPageDuration scenario. ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 40103dee45..ec6574f029 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -1593,7 +1593,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -3335,7 +3335,7 @@ The following fields are available: - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package +- **DriverSigned** Is the driver signed? - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 2931a62db5..52f963e220 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -15,10 +15,6 @@ ms.topic: article # Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields -> [!IMPORTANT] -> Windows is moving to classifying the data collected from customer’s devices as either *Required* or *Optional*. - - **Applies to** - Windows 10, version 21H2 @@ -35,7 +31,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -2029,7 +2026,7 @@ The following fields are available: - **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. - **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. - **ServiceProductKeyID** Retrieves the License key of the KMS -- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode. - **Signature** Retrieves if it is a signature machine sold by Microsoft store. - **SLICStatus** Whether a SLIC table exists on the device. - **SLICVersion** Returns OS type/version from SLIC table. @@ -3744,7 +3741,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see: [Device Install State](https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx). +- **InstallState** The device installation state. For a list of values, see: [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state). - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3843,7 +3840,7 @@ The following fields are available: - **DriverIsKernelMode** Is it a kernel mode driver? - **DriverName** The file name of the driver. - **DriverPackageStrongName** The strong name of the driver package -- **DriverSigned** The strong name of the driver package +- **DriverSigned** Is the driver signed? - **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. - **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. - **DriverVersion** The version of the driver file. diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 6926232bb7..514d815a7b 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -1,6 +1,8 @@ --- title: Windows 10, version 1909, connection endpoints for non-Enterprise editions description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1909. +ms.prod: windows-client +ms.technology: itpro-privacy ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown From e321f8b926b12d33493ce29b8e541c2fcad9fc2a Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 6 Oct 2022 13:40:29 -0700 Subject: [PATCH 069/106] Updates to event section --- ...ndows-diagnostic-events-and-fields-1903.md | 2414 ++++++++++------- 1 file changed, 1444 insertions(+), 970 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 16f2b162e1..79306eb815 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -38,8 +38,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - - ## AppLocker events ### Microsoft.Windows.Security.AppLockerCSP.AddParams @@ -269,6 +267,11 @@ The following fields are available: - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CO21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CU22H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -284,6 +287,11 @@ The following fields are available: - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CO21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CU22H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -302,6 +310,11 @@ The following fields are available: - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CO21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CU22H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -320,6 +333,11 @@ The following fields are available: - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CO21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CU22H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_NI22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -335,6 +353,11 @@ The following fields are available: - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CO21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CU22H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_NI22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -350,6 +373,11 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CO21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CU22H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_NI22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -366,6 +394,11 @@ The following fields are available: - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CO21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CU22H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -384,6 +417,11 @@ The following fields are available: - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CO21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CU22H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -399,6 +437,11 @@ The following fields are available: - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CO21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CU22H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -417,6 +460,11 @@ The following fields are available: - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CO21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CU22H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -435,6 +483,11 @@ The following fields are available: - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CO21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CU22H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -450,6 +503,11 @@ The following fields are available: - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CO21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CU22H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -465,6 +523,11 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CO21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CU22H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -480,6 +543,11 @@ The following fields are available: - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CO21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CU22H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -493,6 +561,11 @@ The following fields are available: - **DecisionSModeState_21H1** The total number of objects of this type present on this device. - **DecisionSModeState_21H2** The total number of objects of this type present on this device. - **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_CO21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_CU22H2** The total number of objects of this type present on this device. +- **DecisionSModeState_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSModeState_RS1** The total number of objects of this type present on this device. - **DecisionSModeState_RS2** The total number of objects of this type present on this device. - **DecisionSModeState_RS3** The total number of objects of this type present on this device. @@ -509,6 +582,11 @@ The following fields are available: - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H2** The total number of objects of this type present on this device. - **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_CU22H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -525,6 +603,11 @@ The following fields are available: - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CU22H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. @@ -538,6 +621,11 @@ The following fields are available: - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CU22H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. @@ -552,6 +640,11 @@ The following fields are available: - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CU22H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. @@ -565,6 +658,11 @@ The following fields are available: - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CU22H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. @@ -578,6 +676,11 @@ The following fields are available: - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CU22H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. @@ -592,6 +695,11 @@ The following fields are available: - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H2** The total number of objects of this type present on this device. - **DecisionTest_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTest_CO21H2** The total number of objects of this type present on this device. +- **DecisionTest_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionTest_CU22H2** The total number of objects of this type present on this device. +- **DecisionTest_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionTest_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -605,6 +713,11 @@ The following fields are available: - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CO21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CU22H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. @@ -618,6 +731,11 @@ The following fields are available: - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CO21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CU22H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. @@ -656,6 +774,11 @@ The following fields are available: - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H2** The total number of objects of this type present on this device. - **Wmdrm_21H2Setup** The total number of objects of this type present on this device. +- **Wmdrm_CO21H2** The total number of objects of this type present on this device. +- **Wmdrm_CO21H2Setup** The total number of objects of this type present on this device. +- **Wmdrm_CU22H2** The total number of objects of this type present on this device. +- **Wmdrm_CU22H2Setup** The total number of objects of this type present on this device. +- **Wmdrm_NI22H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -1351,6 +1474,8 @@ The following fields are available: - **CpuStepping** Cpu stepping. - **CpuVendor** Cpu vendor. - **PlatformId** CPU platform identifier. +- **ProcessorName** OEM processor name. +- **ProductName** OEM product name. - **SysReqOverride** Appraiser decision about system requirements override. @@ -1675,7 +1800,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryTestAdd -This event provides diagnostic data for testing event adds to help keep windows up to date. +This event provides diagnostic data for testing event adds. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2344,8 +2469,8 @@ The following fields are available: - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -2764,13 +2889,55 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. - **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). +## Code Integrity events + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Compatibility + +Fires when the compatibility check completes. Gives the results from the check. + +The following fields are available: + +- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false. +- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement). + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled + +Fires when auto-enablement is successful and HVCI is being enabled on the device. + + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity + +Fires at the beginning and end of the HVCI auto-enablement process in sysprep. + +The following fields are available: + +- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed + +Fires when driver scanning fails to get results. + + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.IsRegionDisabledLanguage + +Fires when an incompatible language pack is detected. + +The following fields are available: + +- **Language** String containing the incompatible language pack detected. + + ## Common data extensions ### Common Data Extensions.app @@ -3244,12 +3411,6 @@ The following fields are available: ## Diagnostic data events -### Microsoft.Windows.Test.WindowsCoreTelemetryTestProvider.WindowsCoreTelemetryTestEvent - -This is an internal-only test event used to validate the utc.app and telemetry.asm-windowsdefault settings and namespaces before publishing. The provider of this event is assigned to the Windows Core Telemetry group provider in order to test. The data collected with this event is used to keep Windows performing properly - - - ### TelClientSynthetic.AbnormalShutdown_0 This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -3365,7 +3526,7 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Returns last execution codes from census client run. +- **CensusExitCode** Last exit code of Census task - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. @@ -4542,7 +4703,7 @@ This event indicates that the uninstall was properly configured and that a syste ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -4654,33 +4815,33 @@ The following fields are available: - **FileSigningInfo** A count of file signing objects in cache. - **Generic** A count of generic objects in cache. - **HwItem** A count of hwitem objects in cache. -- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health records in cache. -- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache. +- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health record objects in cache. +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version element objects in cache. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache - **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache. -- **InventoryApplicationShortcut** A count of application shortcut objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache - **InventoryDeviceContainer** A count of device container objects in cache. - **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. - **InventoryDeviceMediaClass** A count of device media objects in cache. - **InventoryDevicePnp** A count of device Plug and Play objects in cache. -- **InventoryDeviceSensor** A count of device sensors in cache. +- **InventoryDeviceSensor** A count of device sensor objects in cache. - **InventoryDeviceUsbHubClass** A count of device usb objects in cache - **InventoryDriverBinary** A count of driver binary objects in cache. - **InventoryDriverPackage** A count of device objects in cache. - **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache - **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache. -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache. -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache. -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache. -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache. -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache. -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache. -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache. -- **InventoryVersion** The version of the inventory binary generating the events. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryVersion** test - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. - **Programs** A count of program objects in cache. @@ -4994,7 +5155,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state). +- **InstallState** The device installation state. One of these values: [DEVICE_INSTALL_STATE enumeration](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state) - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -5235,61 +5396,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. -- **Usage** Data about usage for the add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -5641,8 +5747,12 @@ The following fields are available: - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. - **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply. +- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. E.g. Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z +- **appPingEventDownloadMetricsCdnCache** Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) E.g. HIT from proxy.domain.tld, MISS from proxy.local - **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. - **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. +- **appPingEventDownloadMetricsCdnMSEdgeRef** Used to help correlate client-to-AFD (Azure Front Door) conversations. E.g. Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z +- **appPingEventDownloadMetricsCdnP3P** Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. E.g. CP=\"CAO PSA OUR\" - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. - **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. - **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. @@ -5662,7 +5772,9 @@ The following fields are available: - **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag. - **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'. +- **appUpdateCheckIsRollbackAllowed** Check for status showing whether or not rollback is allowed. - **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. +- **appUpdateCheckTargetChannel** Check for status showing the target release channel. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. - **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. @@ -5737,6 +5849,25 @@ The following fields are available: - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. +### Microsoft.Edge.Crashpad.CrashEvent + +This event sends simple Product and Service Performance data on a crashing Microsoft Edge browser process to help mitigate future instances of the crash. + +The following fields are available: + +- **app_name** The name of the crashing process. +- **app_session_guid** Encodes the boot session, process id, and process start time. +- **app_version** The version of the crashing process. +- **client_id_hash** Hash of the browser client ID which helps identify installations. +- **etag** Encodes the running experiments in the browser. +- **module_name** The name of the module in which the crash originated. +- **module_offset** Memory offset into the module in which the crash originated. +- **module_version** The version of the module in which the crash originated. +- **process_type** The type of the browser process that crashed, e.g., renderer, gpu-process, etc. +- **stack_hash** Hash of the stack trace representing the crash. Currently not used or set to zero. +- **sub_code** The exception/error code representing the crash. + + ### Microsoft.WebBrowser.Installer.EdgeUpdate.Ping This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date. @@ -5922,21 +6053,6 @@ The following fields are available: ## Mixed Reality events -### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded - -This event indicates Windows Mixed Reality device state. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **ClassGuid** Windows Mixed Reality device class GUID. -- **DeviceInterfaceId** Windows Mixed Reality device interface ID. -- **DeviceName** Windows Mixed Reality device name. -- **DriverVersion** Windows Mixed Reality device driver version. -- **FirmwareVersion** Windows Mixed Reality firmware version. -- **Manufacturer** Windows Mixed Reality device manufacturer. -- **ModelName** Windows Mixed Reality device model name. -- **SerialNumber** Windows Mixed Reality device serial number. - ### Microsoft.ML.ONNXRuntime.ProcessInfo This event collects information when an application loads ONNXRuntime.dll. The data collected with this event is used to keep Windows product and service performing properly. @@ -5961,6 +6077,23 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. + +### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded + +This event indicates Windows Mixed Reality device state. This event is also used to count WMR device. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **ClassGuid** Windows Mixed Reality device class GUID. +- **DeviceInterfaceId** Windows Mixed Reality device interface ID. +- **DeviceName** Windows Mixed Reality device name. +- **DriverVersion** Windows Mixed Reality device driver version. +- **FirmwareVersion** Windows Mixed Reality firmware version. +- **Manufacturer** Windows Mixed Reality device manufacturer. +- **ModelName** Windows Mixed Reality device model name. +- **SerialNumber** Windows Mixed Reality device serial number. + + ## OneDrive events ### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation @@ -5978,6 +6111,15 @@ The following fields are available: - **SourceOSBuildNumber** The source build number of the operating system. - **SourceOSVersion** The source version of the operating system. + +## Other events + +### Microsoft.Windows.Test.WindowsCoreTelemetryTestProvider.WindowsCoreTelemetryTestEvent + +This is an internal-only test event used to validate the utc.app and telemetry.asm-windowsdefault settings and namespaces before publishing. The provider of this event is assigned to the Windows Core Telemetry group provider in order to test. The data collected with this event is used to keep Windows performing properly + + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -6006,8 +6148,1180 @@ The following fields are available: - **userRegionCode** The current user's region setting +## Sediment events + +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.PhaseChange + +The event indicates progress made by the updater. This information assists in keeping Windows up to date. + +The following fields are available: + +- **NewPhase** The phase of progress made. +- **ReleaseVer** The version information for the component in which the change occurred. +- **Time** The system time at which the phase chance occurred. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## SIH events + +### SIHEngineTelemetry.EvalApplicability + +This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it. +- **CachedEngineVersion** The engine DLL version that is being used. +- **EventInstanceID** A unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. +- **IsExecutingAction** If the action is presently being executed. +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). +- **SihclientVersion** The client version that is being used. +- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UpdateID** A unique identifier for the action being acted upon. +- **WuapiVersion** The Windows Update API version that is currently installed. +- **WuaucltVersion** The Windows Update client version that is currently installed. +- **WuauengVersion** The Windows Update engine version that is currently installed. +- **WUDeviceID** The unique identifier controlled by the software distribution client. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date. + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TargetReleaseVersion** The value selected for the target release version policy. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXDownloadScope** Indicates the scope of the download for application content. +- **AppXScope** Indicates the scope of the app download. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. +- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** The model of the device. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Information about the download operation properties in the form of a bitmask. +- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events. +- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **PackageFullName** The package name of the content. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific content has previously failed. +- **RepeatFailFlag** Indicates whether this specific content previously failed to download. +- **RevisionNumber** The revision number of the specified piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. +- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. +- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. +- **TotalExpectedBytes** The total count of bytes that the download is expected to be. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedDO** Whether the download used the delivery optimization service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Revert + +This is a revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DeploymentProviderMode** The mode of operation of the update deployment provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +This is a start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +This is an uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DeploymentProviderMode** The mode of operation of the Update Deployment Provider. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **WUDeviceID** The unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** An encoded string of the timestamp token. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. + + +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **avgCurrLastRun** Average current last run. +- **avgPowLastRun** Average power last run. +- **batteryMSPN** BatteryMSPN +- **batteryMSSN** BatteryMSSN. +- **cell0Ra3** Cell0Ra3. +- **cell1Ra3** Cell1Ra3. +- **cell2Ra3** Cell2Ra3. +- **cell3Ra3** Cell3Ra3. +- **ComponentId** Component ID. +- **currentAtEoc** Current at Eoc. +- **firstPFstatusA** First PF status-A. +- **firstPFstatusB** First PF status-B. +- **firstPFstatusC** First PF status-C. +- **firstPFstatusD** First PF status-D. +- **FwVersion** FW version that created this log. +- **lastQmaxUpdate** Last Qmax update. +- **lastRaDisable** Last Ra disable. +- **lastRaUpdate** Last Ra update. +- **lastValidChargeTerm** Last valid charge term. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **maxAvgCurrLastRun** Max average current last run. +- **maxAvgPowLastRun** Max average power last run. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **mfgInfoBlockB01** MFG info Block B01. +- **mfgInfoBlockB02** MFG info Block B02. +- **mfgInfoBlockB03** MFG info Block B03. +- **mfgInfoBlockB04** MFG info Block B04. +- **numOfRaDisable** Number of Ra disable. +- **numOfValidChargeTerm** Number of valid charge term. +- **ProductId** Product ID. +- **qmaxCycleCount** Qmax cycle count. +- **SeqNum** Sequence Number. +- **stateOfHealthEnergy** State of health energy. +- **stateOfHealthFcc** State of health Fcc. +- **stateOfHealthPercent** State of health percent. +- **TimeStamp** UTC seconds when log was created. +- **totalFwRuntime** Total FW runtime. +- **updateStatus** Update status. +- **Ver** Schema version. + + +### Microsoft.Surface.Health.Binary.Prod.McuHealthLog + +This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. + +The following fields are available: + +- **CUtility::GetTargetNameA(Target)** Sub component name. +- **HealthLog** Health indicator log. +- **healthLogSize** 4KB. +- **productId** Identifier for product model. + + +## System reset events + +### Microsoft.Windows.SysReset.FlightUninstallCancel + +This event indicates the customer has cancelled uninstallation of Windows. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + + + +### Microsoft.Windows.SysReset.FlightUninstallError + +This event sends an error code when the Windows uninstallation fails. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **ErrorCode** Error code for uninstallation failure. + + +### Microsoft.Windows.SysReset.FlightUninstallReboot + +This event is sent to signal an upcoming reboot during uninstallation of Windows. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + + + +### Microsoft.Windows.SysReset.FlightUninstallStart + +This event indicates that the Windows uninstallation has started. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + + + +### Microsoft.Windows.SysReset.FlightUninstallUnavailable + +This event sends diagnostic data when the Windows uninstallation is not available. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **AddedProfiles** Indicates that new user profiles have been created since the flight was installed. +- **MissingExternalStorage** Indicates that the external storage used to install the flight is not available. +- **MissingInfra** Indicates that uninstall resources are missing. +- **MovedProfiles** Indicates that the user profile has been moved since the flight was installed. + + +### Microsoft.Windows.SysReset.HasPendingActions + +This event is sent when users have actions that will block the uninstall of the latest quality update. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + + + +### Microsoft.Windows.SysReset.IndicateLCUWasUninstalled + +This event is sent when the registry indicates that the latest cumulative Windows update package has finished uninstalling. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **errorCode** The error code if there was a failure during uninstallation of the latest cumulative Windows update package. + + +### Microsoft.Windows.SysReset.LCUUninstall + +This event is sent when the latest cumulative Windows update was uninstalled on a device. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **errorCode** An error that occurred while the Windows update package was being uninstalled. +- **packageName** The name of the Windows update package that is being uninstalled. +- **removalTime** The amount of time it took to uninstall the Windows update package. + + +### Microsoft.Windows.SysReset.PBRBlockedByPolicy + +This event is sent when a push-button reset operation is blocked by the System Administrator. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **PBRBlocked** Reason the push-button reset operation was blocked. +- **PBRType** The type of push-button reset operation that was blocked. + + +### Microsoft.Windows.SysReset.PBREngineInitFailed + +This event signals a failed handoff between two recovery binaries. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **Operation** Legacy customer scenario. + + +### Microsoft.Windows.SysReset.PBREngineInitSucceed + +This event signals successful handoff between two recovery binaries. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **Operation** Legacy customer scenario. + + +### Microsoft.Windows.SysReset.PBRFailedOffline + +This event reports the error code when recovery fails. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **HRESULT** Error code for the failure. +- **PBRType** The recovery scenario. +- **SessionID** The unique ID for the recovery session. + + +### Microsoft.Windows.SystemReset.EsimPresentCheck + +This event is sent when a device is checked to see whether it has an embedded SIM (eSIM). The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **errorCode** Any error that occurred while checking for the presence of an embedded SIM. +- **esimPresent** Indicates whether an embedded SIM is present on the device. +- **sessionID** The ID of this session. + + +### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption + +This event sends corruption repair diagnostic data when the PBRCorruptionRepairOption encounters a corruption error. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **cbsSessionOption** The corruption repair configuration. +- **errorCode** The error code encountered. +- **meteredConnection** Indicates whether the device is connected to a metered network (wired or WiFi). +- **sessionID** The globally unique identifier (GUID) for the session. + + +### Microsoft.Windows.SystemReset.RepairNeeded + +This event provides information about whether a system reset needs repair. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. + +The following fields are available: + +- **repairNeeded** Indicates whether there was corruption in the system reset which needs repair. +- **sessionID** The ID of this push-button reset session. + + +## UEFI events + +### Microsoft.Windows.UEFI.ESRT + +This event sends basic data during boot about the firmware loaded or recently installed on the machine. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DriverFirmwareFilename** The firmware file name reported by the device hardware key. +- **DriverFirmwarePolicy** The optional version update policy value. +- **DriverFirmwareStatus** The firmware status reported by the device hardware key. +- **DriverFirmwareVersion** The firmware version reported by the device hardware key. +- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. +- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). +- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). +- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type. +- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT). +- **InitiateUpdate** Indicates whether the system is ready to initiate an update. +- **LastAttemptDate** The date of the most recent attempted firmware installation. +- **LastAttemptStatus** The result of the most recent attempted firmware installation. +- **LastAttemptVersion** The version of the most recent attempted firmware installation. +- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported. +- **MaxRetryCount** The maximum number of retries, defined by the firmware class key. +- **RetryCount** The number of attempted installations (retries), reported by the driver software key. +- **Status** The status returned to the PnP (Plug-and-Play) manager. +- **UpdateAttempted** Indicates if installation of the current update has been attempted before. + + ## Update Assistant events +### Microsoft.Windows.QualityUpdateAssistant.Applicability + +This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **dayspendingrebootafterfu** Number of days that have elapsed since the device reached ready to reboot for a Feature Update that is still actively pending reboot. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. +- **KBNumber** KBNumber of the update being installed. +- **PackageVersion** Current package version of quality update assistant. +- **Reason** Provides information on reasons why the update is not applicable to the device. +- **Result** Applicability check for quality update assistant. + + +### Microsoft.Windows.QualityUpdateAssistant.DeviceReadinessCheck + +This event sends basic info on whether the device is ready to download the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. +- **KBNumber** KBNumber of the update being installed. +- **PackageVersion** Current package version of quality update assistant. +- **Reason** Indicates why the device did not pass the readiness check. +- **Result** Device readiness check for quality update assistant. + + +### Microsoft.Windows.QualityUpdateAssistant.Download + +This event sends basic info when download of the latest cumulative update begins. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **DODownloadHResult** Result code from Delivery Optimization when used to download the quality update. +- **DownloadMode** Indicates how the quality update was downloaded. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. +- **GlobalEventCounter** Client side counter that indicates ordering of events sent by this device. +- **HttpsDownloadHResult** Result code when HTTPS is used to download the quality update. +- **KBNumber** KBNumber of the update being installed. +- **PackageVersion** Current package version of quality update assistant. +- **QualityUpdateDeviceHasMinimumUptime** Indicates whether the device has the minimum uptime required to install a quality update. +- **Result** Download of latest cumulative update payload. +- **Scenario** Indicates if the installation step succeeded or failed. + + +### Microsoft.Windows.QualityUpdateAssistant.Install + +This event sends basic info on the result of the installation of the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **DismInstallHResult** Internal result code from DISM when used to install the quality update. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. +- **InstallMode** Indicates which installation method was used to attempt the install of the quality update. +- **KBNumber** KBNumber of the update being installed. +- **launchretrycounter** Count of the number of times the install has been retried in the event of a non-successful installation attempt. +- **PackageVersion** Current package version of quality update assistant. +- **QualityUpdateDismErrorCode** Error code returned when DISM is used to install the quality update. +- **QualityUpdatePendingRebootAfterInstallStage** Indicates if the device is pending reboot after install is complete. +- **QualityUpdateSecondsInstallStage** Time spent installing the quality update. +- **QualityUpdateWusaErrorCode** Error code returned when WUSA is used to install the quality update. +- **Result** Install of latest cumulative update payload. +- **Scenario** Indicates if the installation step succeeded or failed. +- **WusaInstallHResult** Internal result code from WUSA when used to install the quality update. + + +### Microsoft.Windows.Shell.EM.EMCompleted + +Event that tracks the effectiveness of an operation to mitigate an issue on devices that meet certain requirements. + +The following fields are available: + +- **cleanUpScheduledTaskHR** The result of the operation to clean up the scheduled task the launched the operation. +- **eulaHashHR** The result of the operation to generate a hash of the EULA file that's currently on-disk. +- **mitigationHR** The result of the operation to take corrective action on a device that's impacted. +- **mitigationResult** The enumeration value representing the action that was taken on the device. +- **mitigationResultReason** The string value representing the action that was taken on the device. +- **mitigationSuccessWriteHR** The result of writing the success value to the registry. +- **region** The device's default region at the time of execution. +- **windowsVersionString** The version of Windows that was computed at the time of execution. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantInteractive + +An user action such as button click happens. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantInteractiveObjective** The objective of the action performed. +- **UpdateAssistantInteractiveUiAction** The action performed through UI. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantPostInstallDetails + +Information pertaining to post install phase of Update Assistant. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantPostInstallCV** Correlation vector for update assistant post install. +- **UpdateAssistantPostInstallUpgradeClientId** Client id post install. +- **UpdateAssistantPostInstallUserSignature** User signature of install. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +Will mark the start of an Update Assistant State. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateConfirmUninstall** True at the start of the state Confirm Uninstall. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStateGeneralErrorDetails + +Details about errors of current state. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantGeneralErrorHResult** HResult of current state. +- **UpdateAssistantGeneralErrorOriginalState** State name of current state. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantDwnldr.UpdateAssistantDownloadDetails + +Details about the Update Assistant ESD download. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The counter for all telemetry on the device. +- **UpdateAssistantDownloadCancelled** True when the ESD download is cancelled. +- **UpdateAssistantDownloadDownloadTotalBytes** The total size in bytes of the download. +- **UpdateAssistantDownloadEditionMismatch** True if downloaded ESD doesn't match edition. +- **UpdateAssistantDownloadESDEncrypted** True if ESD is encrypted. +- **UpdateAssistantDownloadIs10s** True if ESD is 10s. +- **UpdateAssistantDownloadMessage** Message from a completed or failed download. +- **UpdateAssistantDownloadMsgSize** Size of the download. +- **UpdateAssistantDownloadNEdition** True if ESD is N edition. +- **UpdateAssistantDownloadPath** Full path to the download. +- **UpdateAssistantDownloadPathSize** Size of the path. +- **UpdateAssistantDownloadProductsXml** Full path of products xml. +- **UpdateAssistantDownloadTargetEdition** The targeted edition for the download. +- **UpdateAssistantDownloadTargetLanguage** The targeted language for the download. +- **UpdateAssistantDownloadUseCatalog** True if update assistant is using catalog. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + ### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked This event indicates that an update detection has occurred and the targeted install has been blocked. The data collected with this event is used to help keep Windows secure and up to date. @@ -6185,7 +7499,7 @@ The following fields are available: ### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterScanStarted -This event sends telemetry that USO scan has been started. The data collected with this event is used to help keep Windows secure and up to date. +Sends telemetry that USO scan has been started. The following fields are available: @@ -6193,6 +7507,7 @@ The following fields are available: - **ExpediteErrorBitMap** Bit map value for any error code. - **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy. - **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpeditePollCount** Counts the number of polls. - **ExpediteResult** Boolean value for success or failure. - **ExpediteUpdaterCurrentUbr** The UBR of the device. - **ExpediteUpdaterExpectedUbr** The expected UBR of the device. @@ -6228,10 +7543,10 @@ The following fields are available: - **CV** The correlation vector. - **GlobalEventCounter** Counts the events at the global level for telemetry. - **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directory-joined. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory-joined. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. - **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. - **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. - **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. @@ -6246,8 +7561,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is managed by Windows Update for Business. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is is managed by Windows Update for Business. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -6265,6 +7580,18 @@ The following fields are available: - **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsCachedNotificationRetrieved + +This event is sent when a notification is received. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter that indicates ordering of events sent by the user. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsBlobNotificationNotEmpty** A boolean that is true if the blob notification has valid content. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. @@ -6347,7 +7674,7 @@ The following fields are available: - **PackageVersion** The package version of the label. - **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file. - **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer. -- **UpdateHealthToolsDssDeviceId** The Azure Active Directory ID of the device used to create the device ID hash. +- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash. - **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer. - **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash. - **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id. @@ -6356,14 +7683,14 @@ The following fields are available: ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin -The event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure. +The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** The global event counter counts the total events for the provider. - **PackageVersion** The version for the current package. -- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership. +- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for is managed by Windows Update for Business cloud membership. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin @@ -6387,856 +7714,6 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. -### Microsoft.Windows.QualityUpdateAssistant.Applicability - -This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure. - -The following fields are available: - -- **CV** Correlation vector. -- **dayspendingrebootafterfu** Number of days that have elapsed since the device reached ready to reboot for a Feature Update that is still actively pending reboot. -- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. -- **KBNumber** KBNumber of the update being installed. -- **PackageVersion** Current package version of quality update assistant. -- **Reason** Provides information on reasons why the update is not applicable to the device. -- **Result** Applicability check for quality update assistant. - - -### Microsoft.Windows.QualityUpdateAssistant.DeviceReadinessCheck - -This event sends basic info on whether the device is ready to download the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. -- **KBNumber** KBNumber of the update being installed. -- **PackageVersion** Current package version of quality update assistant. -- **Reason** Indicates why the device did not pass the readiness check. -- **Result** Device readiness check for quality update assistant. - - -### Microsoft.Windows.QualityUpdateAssistant.Download - -This event sends basic info when download of the latest cumulative update begins. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **DODownloadHResult** Result code from Delivery Optimization when used to download the quality update. -- **DownloadMode** Indicates how the quality update was downloaded. -- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. -- **GlobalEventCounter** Client side counter that indicates ordering of events sent by this device. -- **HttpsDownloadHResult** Result code when HTTPS is used to download the quality update. -- **KBNumber** KBNumber of the update being installed. -- **PackageVersion** Current package version of quality update assistant. -- **QualityUpdateDeviceHasMinimumUptime** Indicates whether the device has the minimum uptime required to install a quality update. -- **Result** Download of latest cumulative update payload. -- **Scenario** Indicates if the installation step succeeded or failed. - - -### Microsoft.Windows.QualityUpdateAssistant.Install - -This event sends basic info on the result of the installation of the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date. - -The following fields are available: - -- **CV** Correlation vector. -- **DismInstallHResult** Internal result code from DISM when used to install the quality update. -- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. -- **InstallMode** Indicates which installation method was used to attempt the install of the quality update. -- **KBNumber** KBNumber of the update being installed. -- **launchretrycounter** Count of the number of times the install has been retried in the event of a non-successful installation attempt. -- **PackageVersion** Current package version of quality update assistant. -- **QualityUpdateDismErrorCode** Error code returned when DISM is used to install the quality update. -- **QualityUpdatePendingRebootAfterInstallStage** Indicates if the device is pending reboot after install is complete. -- **QualityUpdateSecondsInstallStage** Time spent installing the quality update. -- **QualityUpdateWusaErrorCode** Error code returned when WUSA is used to install the quality update. -- **Result** Install of latest cumulative update payload. -- **Scenario** Indicates if the installation step succeeded or failed. -- **WusaInstallHResult** Internal result code from WUSA when used to install the quality update. - - -## Sediment events - -### Microsoft.Windows.Sediment.Info.DetailedState - -This event is sent when detailed state information is needed from an update trial run. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. -- **Id** Identifies the trial being run, such as a disk related trial. -- **ReleaseVer** The version of the component. -- **State** The state of the reporting data from the trial, such as the top-level directory analysis. -- **Time** The time the event was fired. - - -### Microsoft.Windows.Sediment.Info.PhaseChange - -The event indicates progress made by the updater. This information assists in keeping Windows up to date. - -The following fields are available: - -- **NewPhase** The phase of progress made. -- **ReleaseVer** The version information for the component in which the change occurred. -- **Time** The system time at which the phase chance occurred. - - -## Setup events - -### SetupPlatformTel.SetupPlatformTelActivityEvent - -This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together. -- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time - - -### SetupPlatformTel.SetupPlatformTelActivityStarted - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - -The following fields are available: - -- **Name** The name of the dynamic update type. Example: GDR driver - - -### SetupPlatformTel.SetupPlatformTelActivityStopped - -This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. - - - -### SetupPlatformTel.SetupPlatformTelEvent - -This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date. - -The following fields are available: - -- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. -- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. -- **InstanceID** This is a unique GUID to track individual instances of SetupPlatform that will help us tie events from a single instance together. -- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. - - -## SIH events - -### SIHEngineTelemetry.EvalApplicability - -This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it. -- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it. -- **CachedEngineVersion** The engine DLL version that is being used. -- **EventInstanceID** A unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. -- **IsExecutingAction** If the action is presently being executed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). -- **SihclientVersion** The client version that is being used. -- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **UpdateID** A unique identifier for the action being acted upon. -- **WuapiVersion** The Windows Update API version that is currently installed. -- **WuaucltVersion** The Windows Update client version that is currently installed. -- **WuauengVersion** The Windows Update engine version that is currently installed. -- **WUDeviceID** The unique identifier controlled by the software distribution client. - - -## Software update events - -### SoftwareUpdateClientTelemetry.CheckForUpdates - -This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date. - -The following fields are available: - -- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. -- **AllowCachedResults** Indicates if the scan allowed using cached results. -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BranchReadinessLevel** The servicing branch configured on the device. -- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. -- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). -- **DeferredUpdates** Update IDs which are currently being deferred until a later time -- **DeviceModel** What is the device model. -- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. -- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. -- **DriverSyncPassPerformed** Were drivers scanned this time? -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ExtendedMetadataCabUrl** Hostname that is used to download an update. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. -- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. -- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MSIError** The last error that was encountered during a scan for updates. -- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 -- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete -- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked -- **NumberOfLoop** The number of round trips the scan required -- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan -- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan -- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. -- **Online** Indicates if this was an online scan. -- **PausedUpdates** A list of UpdateIds which that currently being paused. -- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. -- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **ScanDurationInSeconds** The number of seconds a scan took -- **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). -- **ServiceUrl** The environment URL a device is configured to scan with -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). -- **SyncType** Describes the type of scan the event was -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. -- **TargetReleaseVersion** The value selected for the target release version policy. -- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. -- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Commit - -This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** Device family as defined in the system BIOS -- **BiosName** Name of the system BIOS -- **BiosReleaseDate** Release date of the system BIOS -- **BiosSKUNumber** Device SKU as defined in the system BIOS -- **BIOSVendor** Vendor of the system BIOS -- **BiosVersion** Version of the system BIOS -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRevisionNumber** Identifies the revision number of the content bundle -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** Version number of the software distribution client -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** Device model as defined in the system bios -- **EventInstanceID** A globally unique identifier for event instance -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". -- **FlightId** The specific id of the flight the device is getting -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **SystemBIOSMajorRelease** Major release version of the system bios -- **SystemBIOSMinorRelease** Minor release version of the system bios -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Download - -This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. -- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download. -- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. -- **AppXDownloadScope** Indicates the scope of the download for application content. -- **AppXScope** Indicates the scope of the app download. -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). -- **CachedEngineVersion** The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **CbsDownloadMethod** Indicates whether the download was a full- or a partial-file download. -- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. -- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. -- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. -- **ConnectTime** Indicates the cumulative amount of time (in seconds) it took to establish the connection for all updates in an update bundle. -- **CurrentMobileOperator** The mobile operator the device is currently connected to. -- **DeviceModel** The model of the device. -- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. -- **DownloadProps** Information about the download operation properties in the form of a bitmask. -- **DownloadScenarioId** A unique ID for a given download, used to tie together Windows Update and Delivery Optimizer events. -- **DownloadType** Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between Metadata and Payload downloads. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). -- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific ID of the flight (pre-release build) the device is getting. -- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). -- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **HostName** The hostname URL the content is downloading from. -- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. -- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update -- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. -- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) -- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." -- **PackageFullName** The package name of the content. -- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. -- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload. -- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. -- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific content has previously failed. -- **RepeatFailFlag** Indicates whether this specific content previously failed to download. -- **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. -- **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. -- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. -- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TargetMetadataVersion** The version of the currently downloading (or most recently downloaded) package. -- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. -- **TimeToEstablishConnection** Time (in milliseconds) it took to establish the connection prior to beginning downloaded. -- **TotalExpectedBytes** The total count of bytes that the download is expected to be. -- **UpdateId** An identifier associated with the specific piece of content. -- **UpdateID** An identifier associated with the specific piece of content. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedDO** Whether the download used the delivery optimization service. -- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.DownloadCheckpoint - -This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough -- **FileId** A hash that uniquely identifies a file -- **FileName** Name of the downloaded file -- **FlightId** The unique identifier for each flight -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RevisionNumber** Unique revision number of Update -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) -- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) -- **UpdateId** Unique Update ID -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue - - -### SoftwareUpdateClientTelemetry.DownloadHeartbeat - -This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **BytesTotal** Total bytes to transfer for this content -- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat -- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client -- **ClientVersion** The version number of the software distribution client -- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat -- **CurrentError** Last (transient) error encountered by the active download -- **DownloadFlags** Flags indicating if power state is ignored -- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) -- **EventType** Possible values are "Child", "Bundle", or "Driver" -- **FlightId** The unique identifier for each flight -- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" -- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any -- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) -- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one -- **ResumeCount** Number of times this active download has resumed from a suspended state -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) -- **SuspendCount** Number of times this active download has entered a suspended state -- **SuspendReason** Last reason for why this active download entered a suspended state -- **UpdateId** Identifier associated with the specific piece of content -- **WUDeviceID** Unique device id controlled by the software distribution client - - -### SoftwareUpdateClientTelemetry.Install - -This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. - -The following fields are available: - -- **BiosFamily** The family of the BIOS (Basic Input Output System). -- **BiosName** The name of the device BIOS. -- **BiosReleaseDate** The release date of the device BIOS. -- **BiosSKUNumber** The sku number of the device BIOS. -- **BIOSVendor** The vendor of the BIOS. -- **BiosVersion** The version of the BIOS. -- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **ClientVersion** The version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. -- **CSIErrorType** The stage of CBS installation where it failed. -- **CurrentMobileOperator** The mobile operator to which the device is currently connected. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DeviceModel** The device model. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. -- **EventType** Possible values are Child, Bundle, or Driver. -- **ExtendedErrorCode** The extended error code. -- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. -- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. -- **FlightId** The specific ID of the Windows Insider build the device is getting. -- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. -- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). -- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. -- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether this update is a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. -- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. -- **MsiAction** The stage of MSI installation where it failed. -- **MsiProductCode** The unique identifier of the MSI installer. -- **PackageFullName** The package name of the content being installed. -- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. -- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. -- **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). -- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. -- **ShippingMobileOperator** The mobile operator that a device shipped on. -- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). -- **SystemBIOSMajorRelease** Major version of the BIOS. -- **SystemBIOSMinorRelease** Minor version of the BIOS. -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **TransactionCode** The ID that represents a given MSI installation. -- **UpdateId** Unique update ID. -- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. -- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. -- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. - - -### SoftwareUpdateClientTelemetry.Revert - -This is a revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **CSIErrorType** Stage of CBS installation that failed. -- **DeploymentProviderMode** The mode of operation of the update deployment provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **EventType** Event type (Child, Bundle, Release, or Driver). -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** The identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.TaskRun - -This is a start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CmdLineArgs** Command line arguments passed in by the caller. -- **EventInstanceID** A globally unique identifier for the event instance. -- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.Uninstall - -This is an uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. -- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. -- **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. -- **ClientVersion** Version number of the software distribution client. -- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. -- **DeploymentProviderMode** The mode of operation of the Update Deployment Provider. -- **DriverPingBack** Contains information about the previous driver and system state. -- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. -- **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). -- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. -- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. -- **FlightBuildNumber** Indicates the build number of the flight. -- **FlightId** The specific ID of the flight the device is getting. -- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). -- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. -- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. -- **IsFirmware** Indicates whether an update was a firmware update. -- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. -- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. -- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. -- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. -- **RepeatFailCount** Indicates whether this specific piece of content previously failed. -- **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). -- **StatusCode** Result code of the event (success, cancellation, failure code HResult). -- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. -- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. -- **UpdateId** Identifier associated with the specific piece of content. -- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). -- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. -- **WUDeviceID** Unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateDetected - -This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. -- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. -- **IntentPFNs** Intended application-set metadata for atomic update scenarios. -- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). -- **WUDeviceID** The unique device ID controlled by the software distribution client. - - -### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity - -This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. -- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** The integral ID from the FragmentSigning data for the certificate that failed. -- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce -- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). -- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. -- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** The revision ID for a specific piece of content. -- **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store -- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. -- **SHA256OfTimestampToken** An encoded string of the timestamp token. -- **SignatureAlgorithm** The hash algorithm for the metadata signature. -- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast -- **StatusCode** Result code of the event (success, cancellation, failure code HResult) -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. -- **UpdateId** The update ID for a specific piece of content. -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. - - -## Surface events - -### Microsoft.Surface.Health.Binary.Prod.McuHealthLog - -This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. - -The following fields are available: - -- **CUtility::GetTargetNameA(Target)** Sub component name. -- **HealthLog** Health indicator log. -- **healthLogSize** 4KB. -- **productId** Identifier for product model. - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData** Hardware level data about battery performance. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - -## System reset events - -### Microsoft.Windows.SysReset.FlightUninstallCancel - -This event indicates the customer has cancelled uninstallation of Windows. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - - - -### Microsoft.Windows.SysReset.FlightUninstallError - -This event sends an error code when the Windows uninstallation fails. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **ErrorCode** Error code for uninstallation failure. - - -### Microsoft.Windows.SysReset.FlightUninstallReboot - -This event is sent to signal an upcoming reboot during uninstallation of Windows. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - - - -### Microsoft.Windows.SysReset.FlightUninstallStart - -This event indicates that the Windows uninstallation has started. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - - - -### Microsoft.Windows.SysReset.FlightUninstallUnavailable - -This event sends diagnostic data when the Windows uninstallation is not available. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **AddedProfiles** Indicates that new user profiles have been created since the flight was installed. -- **MissingExternalStorage** Indicates that the external storage used to install the flight is not available. -- **MissingInfra** Indicates that uninstall resources are missing. -- **MovedProfiles** Indicates that the user profile has been moved since the flight was installed. - - -### Microsoft.Windows.SysReset.HasPendingActions - -This event is sent when users have actions that will block the uninstall of the latest quality update. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - - - -### Microsoft.Windows.SysReset.IndicateLCUWasUninstalled - -This event is sent when the registry indicates that the latest cumulative Windows update package has finished uninstalling. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **errorCode** The error code if there was a failure during uninstallation of the latest cumulative Windows update package. - - -### Microsoft.Windows.SysReset.LCUUninstall - -This event is sent when the latest cumulative Windows update was uninstalled on a device. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **errorCode** An error that occurred while the Windows update package was being uninstalled. -- **packageName** The name of the Windows update package that is being uninstalled. -- **removalTime** The amount of time it took to uninstall the Windows update package. - - -### Microsoft.Windows.SysReset.PBRBlockedByPolicy - -This event is sent when a push-button reset operation is blocked by the System Administrator. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **PBRBlocked** Reason the push-button reset operation was blocked. -- **PBRType** The type of push-button reset operation that was blocked. - - -### Microsoft.Windows.SysReset.PBREngineInitFailed - -This event signals a failed handoff between two recovery binaries. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **Operation** Legacy customer scenario. - - -### Microsoft.Windows.SysReset.PBREngineInitSucceed - -This event signals successful handoff between two recovery binaries. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **Operation** Legacy customer scenario. - - -### Microsoft.Windows.SysReset.PBRFailedOffline - -This event reports the error code when recovery fails. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **HRESULT** Error code for the failure. -- **PBRType** The recovery scenario. -- **SessionID** The unique ID for the recovery session. - - -### Microsoft.Windows.SystemReset.EsimPresentCheck - -This event is sent when a device is checked to see whether it has an embedded SIM (eSIM). The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **errorCode** Any error that occurred while checking for the presence of an embedded SIM. -- **esimPresent** Indicates whether an embedded SIM is present on the device. -- **sessionID** The ID of this session. - - -### Microsoft.Windows.SystemReset.PBRCorruptionRepairOption - -This event sends corruption repair diagnostic data when the PBRCorruptionRepairOption encounters a corruption error. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **cbsSessionOption** The corruption repair configuration. -- **errorCode** The error code encountered. -- **meteredConnection** Indicates whether the device is connected to a metered network (wired or WiFi). -- **sessionID** The globally unique identifier (GUID) for the session. - - -### Microsoft.Windows.SystemReset.RepairNeeded - -This event provides information about whether a system reset needs repair. The data collected with this event is used to keep Windows performing properly and helps with tracking the health of recovery and OSUninstall scenarios. - -The following fields are available: - -- **repairNeeded** Indicates whether there was corruption in the system reset which needs repair. -- **sessionID** The ID of this push-button reset session. - - -## UEFI events - -### Microsoft.Windows.UEFI.ESRT - -This event sends basic data during boot about the firmware loaded or recently installed on the machine. The data collected with this event is used to help keep Windows up to date and performing properly. - -The following fields are available: - -- **DriverFirmwareFilename** The firmware file name reported by the device hardware key. -- **DriverFirmwarePolicy** The optional version update policy value. -- **DriverFirmwareStatus** The firmware status reported by the device hardware key. -- **DriverFirmwareVersion** The firmware version reported by the device hardware key. -- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. -- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). -- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). -- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type. -- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT). -- **InitiateUpdate** Indicates whether the system is ready to initiate an update. -- **LastAttemptDate** The date of the most recent attempted firmware installation. -- **LastAttemptStatus** The result of the most recent attempted firmware installation. -- **LastAttemptVersion** The version of the most recent attempted firmware installation. -- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported. -- **MaxRetryCount** The maximum number of retries, defined by the firmware class key. -- **RetryCount** The number of attempted installations (retries), reported by the driver software key. -- **Status** The status returned to the PnP (Plug-and-Play) manager. -- **UpdateAttempted** Indicates if installation of the current update has been attempted before. - ## Update events @@ -7260,7 +7737,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7277,7 +7754,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7322,7 +7799,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7344,7 +7821,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7445,7 +7922,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7461,7 +7938,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7479,7 +7956,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7516,7 +7993,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -7848,7 +8325,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -10100,6 +10577,3 @@ The following fields are available: - **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. - **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. - **UserId** The XUID (Xbox User ID) of the current user. - - - From a96a01739eb2897e5ff9195c0e547d2e299d3b87 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 6 Oct 2022 14:12:06 -0700 Subject: [PATCH 070/106] Updates to event section --- ...ndows-diagnostic-events-and-fields-1809.md | 12 +- ...ndows-diagnostic-events-and-fields-1903.md | 18 +- ...-diagnostic-data-events-and-fields-2004.md | 1083 +++++++++++++---- 3 files changed, 849 insertions(+), 264 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 48527dd1c6..07d84632ac 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -6931,7 +6931,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. @@ -6986,9 +6986,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -7047,8 +7047,8 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 79306eb815..f48fe3e2dd 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -6291,7 +6291,7 @@ The following fields are available: - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. - **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce - **MSIError** The last error that was encountered during a scan for updates. - **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 @@ -6416,7 +6416,7 @@ The following fields are available: - **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update - **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content. - **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) - **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." @@ -6550,7 +6550,7 @@ The following fields are available: - **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. - **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. - **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. - **MsiAction** The stage of MSI installation where it failed. - **MsiProductCode** The unique identifier of the MSI installer. @@ -6605,9 +6605,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. @@ -6667,9 +6667,9 @@ The following fields are available: - **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. - **IsFirmware** Indicates whether an update was a firmware update. - **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. -- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. -- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. -- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device. +- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device. +- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device. - **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. - **ProcessName** Process name of the caller who initiated API calls into the software distribution client. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 52f963e220..a0f3e1e71d 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,6 +1,6 @@ --- description: Learn more about the required Windows 10 diagnostic data gathered. -title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) +title: Required diagnostic events and fields for Windows 10 (versions 22H2, 21H2, 21H1, 20H2, and 2004) ms.prod: windows-client ms.technology: itpro-privacy localizationpriority: high @@ -12,11 +12,11 @@ ms.topic: article --- -# Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields - +# Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004 **Applies to** +- Windows 10, version 22H2 - Windows 10, version 21H2 - Windows 10, version 21H1 - Windows 10, version 20H2 @@ -42,7 +42,6 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -59,10 +58,15 @@ The following fields are available: - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CO21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_RS4** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_RS5** The total number of objects of this type present on this device. - **DatasourceApplicationFile_TH1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_TH2** The total number of objects of this type present on this device. @@ -74,10 +78,15 @@ The following fields are available: - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CO21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_RS4** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS4Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS5** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS5Setup** The total number of objects of this type present on this device. @@ -91,10 +100,15 @@ The following fields are available: - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CO21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_RS4** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS4Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS5** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS5Setup** The total number of objects of this type present on this device. @@ -108,6 +122,11 @@ The following fields are available: - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CO21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_NI22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -123,6 +142,11 @@ The following fields are available: - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CO21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_NI22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -138,6 +162,11 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CO21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_NI22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -153,6 +182,11 @@ The following fields are available: - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CO21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CU22H2Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_NI22H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -170,10 +204,15 @@ The following fields are available: - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CO21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. -- **DecisionApplicationFile_RS4** The total number of objects of this type present on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS5** The total number of objects of this type present on this device. - **DecisionApplicationFile_TH1** The total number of objects of this type present on this device. - **DecisionApplicationFile_TH2** The total number of objects of this type present on this device. @@ -185,10 +224,15 @@ The following fields are available: - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CO21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. -- **DecisionDevicePnp_RS4** The total number of objects of this type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS4Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS5** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS5Setup** The total number of objects of this type present on this device. @@ -202,10 +246,15 @@ The following fields are available: - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CO21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. -- **DecisionDriverPackage_RS4** The total number of objects of this type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS4Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS5** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS5Setup** The total number of objects of this type present on this device. @@ -219,6 +268,11 @@ The following fields are available: - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CO21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -234,6 +288,11 @@ The following fields are available: - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CO21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -249,6 +308,11 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CO21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -264,6 +328,11 @@ The following fields are available: - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CO21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -278,6 +347,11 @@ The following fields are available: - **DecisionSModeState_21H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H2** The total number of objects of this type present on this device. - **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_CO21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionSModeState_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSModeState_RS1** The total number of objects of this type present on this device. - **DecisionSModeState_RS2** The total number of objects of this type present on this device. - **DecisionSModeState_RS3** The total number of objects of this type present on this device. @@ -293,6 +367,11 @@ The following fields are available: - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H2** The total number of objects of this type present on this device. - **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -309,6 +388,11 @@ The following fields are available: - **DecisionSystemDiskSize_21H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemDiskSize_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. @@ -323,6 +407,11 @@ The following fields are available: - **DecisionSystemMemory_21H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemMemory_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. @@ -337,6 +426,11 @@ The following fields are available: - **DecisionSystemProcessorCpuCores_21H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessorCpuCores_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. @@ -350,6 +444,12 @@ The following fields are available: - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessorCpuModel_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. @@ -364,6 +464,11 @@ The following fields are available: - **DecisionSystemProcessorCpuSpeed_21H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CO21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemProcessorCpuSpeed_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. @@ -378,6 +483,11 @@ The following fields are available: - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H2** The total number of objects of this type present on this device. - **DecisionTest_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTest_CO21H2** The total number of objects of this type present on this device. +- **DecisionTest_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionTest_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionTest_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionTest_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -392,6 +502,11 @@ The following fields are available: - **DecisionTpmVersion_21H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CO21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionTpmVersion_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. @@ -406,6 +521,11 @@ The following fields are available: - **DecisionUefiSecureBoot_21H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CO21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CU22H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CU23H2Setup** The count of the number of this particular object type present on this device. +- **DecisionUefiSecureBoot_NI22H2Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. @@ -438,6 +558,11 @@ The following fields are available: - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H2** The total number of objects of this type present on this device. - **Wmdrm_21H2Setup** The total number of objects of this type present on this device. +- **Wmdrm_CO21H2** The total number of objects of this type present on this device. +- **Wmdrm_CO21H2Setup** The total number of objects of this type present on this device. +- **Wmdrm_CU22H2Setup** The total number of objects of this type present on this device. +- **Wmdrm_CU23H2Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_NI22H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -1101,6 +1226,8 @@ The following fields are available: - **CpuStepping** Cpu stepping. - **CpuVendor** Cpu vendor. - **PlatformId** CPU platform identifier. +- **ProcessorName** OEM processor name. +- **ProductName** OEM product name. - **SysReqOverride** Appraiser decision about system requirements override. @@ -1751,6 +1878,17 @@ The following fields are available: - **WmdrmPurchased** Indicates if the system has any files with permanent licenses. +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.WmdrmStartSync The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date. @@ -1764,23 +1902,6 @@ The following fields are available: ## Audio endpoint events -### MicArrayGeometry - -This event provides information about the layout of the individual microphone elements in the microphone array. The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **MicCoords** The location and orientation of the microphone element. -- **usFrequencyBandHi** The high end of the frequency range for the microphone. -- **usFrequencyBandLo** The low end of the frequency range for the microphone. -- **usMicArrayType** The type of the microphone array. -- **usNumberOfMicrophones** The number of microphones in the array. -- **usVersion** The version of the microphone array specification. -- **wHorizontalAngleBegin** The horizontal angle of the start of the working volume (reported as radians times 10,000). -- **wHorizontalAngleEnd** The horizontal angle of the end of the working volume (reported as radians times 10,000). -- **wVerticalAngleBegin** The vertical angle of the start of the working volume (reported as radians times 10,000). -- **wVerticalAngleEnd** The vertical angle of the end of the working volume (reported as radians times 10,000). - ### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. The data collected with this event is used to keep Windows performing properly. @@ -1833,6 +1954,7 @@ The following fields are available: - **AppraiserTaskExitCode** The Appraiser task exist code. - **AppraiserTaskLastRun** The last runtime for the Appraiser task. - **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** The version of Internet Explorer that is running on the device. ### Census.Azure @@ -1876,11 +1998,12 @@ The following fields are available: - **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false - **IsDERequirementMet** Represents if the device can do device encryption. - **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment. - **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. - **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier @@ -1926,6 +2049,7 @@ The following fields are available: - **DeviceForm** Indicates the form as per the device classification. - **DeviceName** The device name that is set by the user. - **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. - **EnclosureKind** Windows.Devices.Enclosure.EnclosureKind enum values representing each unique enclosure posture kind. - **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). - **InventoryId** The device ID used for compatibility testing. @@ -2018,6 +2142,7 @@ The following fields are available: - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. - **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. - **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. - **ProductActivationResult** Returns Boolean if the OS Activation was successful. - **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. @@ -2294,10 +2419,10 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -2313,6 +2438,77 @@ The following fields are available: - **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. +## Code Integrity events + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.AutoEnablementIsBlocked + +Indicates if OEM attempted to block autoenablement via regkey. + +The following fields are available: + +- **BlockHvciAutoenablement** True if auto-enablement was successfully blocked, false otherwise. + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Compatibility + +Fires when the compatibility check completes. Gives the results from the check. + +The following fields are available: + +- **IsRecommended** Denotes whether all compatibility checks have passed and, if so, returns true. Otherwise returns false. +- **Issues** If compatibility checks failed, provides bit indexed indicators of issues detected. Table located here: [Check results of HVCI default enablement](/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-hvci-default-enablement). + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.Enabled + +Fires when auto-enablement is successful and HVCI is being enabled on the device. + + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HVCIActivity + +Fires at the beginning and end of the HVCI auto-enablement process in sysprep. + +The following fields are available: + +- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. See [wilActivity](#wilactivity). + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed + +Fires when driver scanning fails to get results. + + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanningDriverInSdbError + +Fires when there is an error checking the SDB for a particular driver. + +The following fields are available: + +- **DriverPath** Path to the driver that was being checked in the SDB when checking encountered an error. +- **Error** Error encountered during checking the SDB. + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanningDriverNonCompliantError + +Fires when a driver is discovered that is non-compliant with HVCI. + +The following fields are available: + +- **DriverPath** Path to driver. +- **NonComplianceMask** Error code indicating driver violation. + + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.IsRegionDisabledLanguage + +Fires when an incompatible language pack is detected. + +The following fields are available: + +- **Language** String containing the incompatible language pack detected. + + ## Common data extensions ### Common Data Extensions.app @@ -2475,20 +2671,6 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. - ## Component-based servicing events @@ -2853,7 +3035,7 @@ This event sends data about the connectivity status of the Connected User Experi The following fields are available: -- **CensusExitCode** Returns last execution codes from census client run. +- **CensusExitCode** Last exit code of Census task - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. @@ -2916,6 +3098,20 @@ The following fields are available: - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + ## DISM events ### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU @@ -3032,6 +3228,7 @@ The following fields are available: - **FinishInstallUI** Indicates whether the installation process shows the user interface. - **FirmwareDate** The firmware date that will be stored in the EFI System Resource Table (ESRT). - **FirmwareRevision** The firmware revision that will be stored in the EFI System Resource Table (ESRT). +- **FirmwareVendor** The vendor of the firmware. - **FirmwareVersion** The firmware version that will be stored in the EFI System Resource Table (ESRT). - **FirstHardwareId** The ID in the hardware ID list that provides the most specific device description. - **FlightIds** A list of the different Windows Insider builds on the device. @@ -3071,7 +3268,7 @@ The following fields are available: - **FlightId** The ID of the Windows Insider build the device received. - **InstallDate** The date the driver was installed. - **InstallFlags** The driver installation flags. -- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **OptionalData** Metadata specific to Windows Update (WU) associated with the driver (flight IDs, recovery IDs, etc.) - **RebootRequired** Indicates whether a reboot is required after the installation. - **RollbackPossible** Indicates whether this driver can be rolled back. - **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update. @@ -3245,6 +3442,37 @@ The following fields are available: ## Feature update events +### Microsoft.Windows.FeatureQuality.Heartbeat + +This event indicates the feature status heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **Features** Array of features. + + +### Microsoft.Windows.FeatureQuality.StateChange + +This event indicates the change of feature state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **flightId** Flight id. +- **state** New state. + + +### Microsoft.Windows.FeatureQuality.Status + +This event indicates the feature status. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **featureId** Feature id. +- **flightId** Flight id. +- **time** Time of status change. +- **variantId** Variant id. + + ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -3289,7 +3517,7 @@ The following fields are available: ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: @@ -3486,6 +3714,55 @@ The following fields are available: - **devinv** The file version of the Device inventory component. +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordAdd + +This event sends basic metadata about ACPI PHAT Health Record structure on the machine. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AmHealthy** Indicates if the is device healthy. 0 - Errors found. 1 - No errors. 2 - Unknown. 3 - Advisory. +- **DevicePathSubtype** The device path subtype associated with the record producer. +- **DevicePathType** The device path type associated with the record producer. +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatHealthRecordStartSync + +This event indicates a new set of InventoryAcpiPhatHealthRecord events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatVersionElementAdd + +This event sends basic metadata for ACPI PHAT Version Element structure. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **ProducerId** The ACPI vendor ID. +- **VersionValue** The 64 bit component version value. + + +### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatVersionElementStartSync + +This event indicates that a new set of InventoryAcpiPhatVersionElement events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date. @@ -3741,7 +4018,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. For a list of values, see: [Device Install State](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state). +- **InstallState** The device installation state. One of these values: [DEVICE_INSTALL_STATE enumeration](/windows-hardware/drivers/ddi/wdm/ne-wdm-_device_install_state) - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3964,62 +4241,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **AddinCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInCLSID** The class identifier key for the Microsoft Office add-in. -- **AddInId** The identifier for the Microsoft Office add-in. -- **AddinType** The type of the Microsoft Office add-in. -- **BinFileTimestamp** The timestamp of the Office add-in. -- **BinFileVersion** The version of the Microsoft Office add-in. -- **Description** Description of the Microsoft Office add-in. -- **FileId** The file identifier of the Microsoft Office add-in. -- **FileSize** The file size of the Microsoft Office add-in. -- **FriendlyName** The friendly name for the Microsoft Office add-in. -- **FullPath** The full path to the Microsoft Office add-in. -- **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Integer that describes the load behavior. -- **LoadTime** Load time for the Office add-in. -- **OfficeApplication** The Microsoft Office application associated with the add-in. -- **OfficeArchitecture** The architecture of the add-in. -- **OfficeVersion** The Microsoft Office version for this add-in. -- **OutlookCrashingAddin** Indicates whether crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Microsoft Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Microsoft Office add-in. -- **Provider** Name of the provider for this add-in. -- **Usage** Data about usage for the add-in. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). - -The following fields are available: - -- **InventoryVersion** The version of the inventory binary generating the events. - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUexIndicatorStartSync Diagnostic event to indicate a new sync is being generated for this object type. The data collected with this event is used to help keep Windows up to date. @@ -4337,8 +4558,12 @@ The following fields are available: - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. - **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply. +- **appPingEventDownloadMetricsCdnAzureRefOriginShield** Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. E.g. Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z +- **appPingEventDownloadMetricsCdnCache** Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) E.g. HIT from proxy.domain.tld, MISS from proxy.local - **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. - **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. +- **appPingEventDownloadMetricsCdnMSEdgeRef** Used to help correlate client-to-AFD (Azure Front Door) conversations. E.g. Ref A: E2476A9592DF426A934098C0C2EAD3AB Ref B: DM2EDGE0307 Ref C: 2022-01-13T22:08:31Z +- **appPingEventDownloadMetricsCdnP3P** Electronic privacy statement: CAO = collects contact-and-other, PSA = for pseudo-analysis, OUR = data received by us only. Helps identify the existence of transparent intermediaries (proxies) that can create noise in legitimate error detection. E.g. CP=\"CAO PSA OUR\" - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. - **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. - **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. @@ -4353,12 +4578,14 @@ The following fields are available: - **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. - **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. -- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply. +- **appPingEventPackageCacheResult** Indicates whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key; 2 means there's a cache hit under a different key; 0 means that there's a cache miss; -1 means the field does not apply. - **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. - **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag. - **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. - **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'. +- **appUpdateCheckIsRollbackAllowed** Check for status showing whether or not rollback is allowed. - **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. +- **appUpdateCheckTargetChannel** Check for status showing the target release channel. - **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. - **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. - **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. @@ -4434,6 +4661,41 @@ The following fields are available: - **utc_flags** Event Tracing for Windows (ETW) flags required for the event as part of the data collection process. +### Microsoft.Edge.Crashpad.CrashEvent + +This event sends simple Product and Service Performance data on a crashing Microsoft Edge browser process to help mitigate future instances of the crash. + +The following fields are available: + +- **app_name** The name of the crashing process. +- **app_session_guid** Encodes the boot session, process id, and process start time. +- **app_version** The version of the crashing process. +- **client_id_hash** The version of the crashing process. +- **etag** Encodes the running experiments in the browser. +- **module_name** The name of the module in which the crash originated. +- **module_offset** Memory offset into the module in which the crash originated. +- **module_version** The version of the module in which the crash originated. +- **process_type** The type of the browser process that crashed, example, renderer, gpu-process, etc. +- **stack_hash** Hash of the stack trace representing the crash. Currently not used or set to zero. +- **sub_code** The exception/error code representing the crash. + + +### Microsoft.Edge.Crashpad.HangEvent + +This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang. + +The following fields are available: + +- **app_name** The name of the hanging process. +- **app_session_guid** Encodes the boot session, process, and process start time. +- **app_version** The version of the hanging process. +- **client_id_hash** Hash of the browser client id to help identify the installation. +- **etag** Identifier to help identify running browser experiments. +- **hang_source** Identifies how the hang was detected. +- **process_type** The type of the hanging browser process, example, gpu-process, renderer, etc. +- **stack_hash** A hash of the hanging stack. Currently not used or set to zero. + + ### Microsoft.WebBrowser.Installer.EdgeUpdate.Ping This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date. @@ -4663,16 +4925,89 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. -## Settings events -### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation +## OOBE events -This event tracks protocol launching for Setting's URIs. The data collected with this event is used to help keep Windows up to date. +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateExpeditionChoiceCommitted + +This event requests a commit work for expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. The following fields are available: -- **activationSource** Where activation is initiated. -- **uriString** URI of the launching protocol. +- **oobeExpeditedUpdateCommitOption** Type of commit work for expedited update. +- **resultCode** HR result of operation. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateNthEulaAcceptChoice + +Eula choice in NthLogon NDUP - necessary for upgrade. + +The following fields are available: + +- **fAccepted** Accept/decline state. +- **resultCode** Hresult of committing choice. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateNthLogonDisplayStatus + +NthLogon NDUP evaluated whether it should launch or not. + +The following fields are available: + +- **nthSkippedReasonFlag** Flag indicating skip reason. +- **reason** Skip reason string. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdatePageSkipped + +This event provides information about skipping expedited update page. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **reason** Reason for skip. +- **skippedReasonFlag** Flag representing reason for skip. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateStatusResult + +This event provides status of expedited update. The data collected with this event is used to help keep Windows secure, up to date, and performing properly. + +The following fields are available: + +- **oobeExpeditedUpdateStatus** Expedited update status. +- **reason** Reason for the status. +- **resultCode** HR result of operation. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateSvEulaAccepted + +Event logged when the Win11 EULA is accepted in OOBE on a Win10 machine. + +The following fields are available: + +- **lang** The language code of the accepted Win11 EULA. + + +### Microsoft.Windows.Shell.Oobe.ExpeditedUpdate.ExpeditedUpdateSvEulaNotMarkedAccepted + +Logged when Eula is accepted but it can't be confirmed if it's the SV version. + +The following fields are available: + +- **fLPLanguage** Return val of check for if current lang is backed by Language Pack. +- **lang** Current lang code in use. +- **resultCode** Hresult of the LP check. + + +## Other events + +### Microsoft.Windows.OneSettingsClient.Heartbeat + +This event indicates the config state heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **Configs** Array of configs. ## Privacy consent logging events @@ -4703,6 +5038,18 @@ The following fields are available: - **userRegionCode** The current user's region setting +## Settings events + +### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation + +This event tracks protocol launching for Setting's URIs. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **activationSource** Where activation is initiated. +- **uriString** URI of the launching protocol. + + ## Setup events ### Microsoft.Windows.Setup.WinSetupBoot.BootBlockStart @@ -5266,17 +5613,6 @@ The following fields are available: ## Surface events -### Microsoft.Surface.Health.Binary.Prod.McuHealthLog - -This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. - -The following fields are available: - -- **CUtility::GetTargetNameA(Target)** Sub component name. -- **HealthLog** Health indicator log. -- **healthLogSize** 4KB. -- **productId** Identifier for product model. - ### Microsoft.Surface.Battery.Prod.BatteryInfoEvent This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. @@ -5444,16 +5780,30 @@ The following fields are available: - **Ver** Schema version. +### Microsoft.Surface.Health.Binary.Prod.McuHealthLog + +This event collects information to keep track of health indicator of the built-in micro controller. For example, the number of abnormal shutdowns due to power issues during boot sequence, type of display panel attached to base, thermal indicator, throttling data in hardware etc. The data collected with this event is used to help keep Windows secure and performing properly. + +The following fields are available: + +- **CUtility::GetTargetNameA(Target)** Sub component name. +- **HealthLog** Health indicator log. +- **healthLogSize** 4KB. +- **productId** Identifier for product model. + + ### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. The following fields are available: +- **ControllerResetCause** The cause for the controller reset. - **HostResetCause** Host reset cause. - **PchResetCause** PCH reset cause. - **SamResetCause** SAM reset cause. + ## Update Assistant events ### Microsoft.Windows.QUALauncher.Applicable @@ -5492,6 +5842,80 @@ The following fields are available: - **Result** Applicability check for quality update assistant. +### Microsoft.Windows.QualityUpdateAssistant.DeviceReadinessCheck + +This event sends basic info on whether the device is ready to download the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. +- **KBNumber** KBNumber of the update being installed. +- **PackageVersion** Current package version of quality update assistant. +- **Reason** Indicates why the device did not pass the readiness check. +- **Result** Device readiness check for quality update assistant. + + +### Microsoft.Windows.QualityUpdateAssistant.Download + +This event sends basic info when download of the latest cumulative update begins. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **DODownloadHResult** Result code from Delivery Optimization when used to download the quality update. +- **DownloadMode** Indicates how the quality update was downloaded. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. +- **GlobalEventCounter** Client side counter that indicates ordering of events sent by this device. +- **HttpsDownloadHResult** Result code when HTTPS is used to download the quality update. +- **KBNumber** KBNumber of the update being installed. +- **PackageVersion** Current package version of quality update assistant. +- **QualityUpdateDeviceHasMinimumUptime** Indicates whether the device has the minimum uptime required to install a quality update. +- **Result** Download of latest cumulative update payload. +- **Scenario** Indicates if the installation step succeeded or failed. + + +### Microsoft.Windows.QualityUpdateAssistant.Install + +This event sends basic info on the result of the installation of the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **DismInstallHResult** Internal result code from DISM when used to install the quality update. +- **ExecutionRequestId** Identifier of the Execution Request that launched the QualityUpdateAssistant process. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this device. +- **InstallMode** Indicates which installation method was used to attempt the install of the quality update. +- **KBNumber** KBNumber of the update being installed. +- **launchretrycounter** Count of the number of times the install has been retried in the event of a non-successful installation attempt. +- **PackageVersion** Current package version of quality update assistant. +- **QualityUpdateDismErrorCode** Error code returned when DISM is used to install the quality update. +- **QualityUpdatePendingRebootAfterInstallStage** Indicates if the device is pending reboot after install is complete. +- **QualityUpdateSecondsInstallStage** Time spent installing the quality update. +- **QualityUpdateWusaErrorCode** Error code returned when WUSA is used to install the quality update. +- **Result** Install of latest cumulative update payload. +- **Scenario** Indicates if the installation step succeeded or failed. +- **WusaInstallHResult** Internal result code from WUSA when used to install the quality update. + + +### Microsoft.Windows.QualityUpdateAssistant.RebootPending + +This event sends basic info on the result of the installation of the latest cumulative update indicating device is pending reboot. + +The following fields are available: + +- **CV** Correlation vector. +- **ExecutionRequestId** Client side counter which indicates ordering of events sent by this device. +- **GlobalEventCounter** KBNumber of the update being installed. +- **KBNumber** KBNumber of the update being installed. +- **PackageVersion** Current package version of quality update assistant. +- **QualityUpdateDaysPendingRebootAfterInstallStage** The number of days pending for reboot after installation. +- **QualityUpdatePendingRebootAfterInstallStage** QualityUpdatePendingRebootAfterInstallStartingToast. +- **Result** Result of Execution. +- **Scenario** Represent the state of execution step. + + ### Microsoft.Windows.RecommendedTroubleshootingService.MitigationFailed This event is raised after an executable delivered by Mitigation Service has run and failed. Data from this event is used to measure the health of mitigations used by engineers to solve in-market problems on internal, insider, and retail devices. Failure data will also be used for root-cause investigation by feature teams, as signal to halt mitigation rollout and, possible follow-up action on specific devices still impacted by the problem because the mitigation failed (i.e. reoffer it to impacted devices). The data collected with this event is used to help keep Windows up to date and performing properly. @@ -5578,6 +6002,150 @@ The following fields are available: - **totalUserTime** Total user mode time used by the job object. +### Microsoft.Windows.Shell.EM.EMCompleted + +Event that tracks the effectiveness of an operation to mitigate an issue on devices that meet certain requirements. + +The following fields are available: + +- **cleanUpScheduledTaskHR** The result of the operation to clean up the scheduled task the launched the operation. +- **eulaHashHR** The result of the operation to generate a hash of the EULA file that's currently on-disk. +- **mitigationHR** The result of the operation to take corrective action on a device that's impacted. +- **mitigationResult** The enumeration value representing the action that was taken on the device. +- **mitigationResultReason** The string value representing the action that was taken on the device. +- **mitigationSuccessWriteHR** The result of writing the success value to the registry. +- **region** The device's default region at the time of execution. +- **windowsVersionString** The version of Windows that was computed at the time of execution. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantInteractive + +An user action such as button click happens. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantInteractiveObjective** The objective of the action performed. +- **UpdateAssistantInteractiveUiAction** The action performed through UI. +- **UpdateAssistantVersion** Current package version of Update Assistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateConfirmUninstall** True at the start of the state Confirm Uninstall. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update. +- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStateGeneralErrorDetails + +Details about errors of current state. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantGeneralErrorHResult** HResult of current state. +- **UpdateAssistantGeneralErrorOriginalState** State name of current state. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantBox.UpdateAssistantBoxStubDetails + +Details about the box stub process. + +The following fields are available: + +- **CV** Correlation vector for the telemetry. +- **GlobalEventCounter** Device counter for all events. +- **UpdateAssistantBoxStubCompleted** True if the boxstub process has completed. +- **UpdateAssistantBoxStubHResult** HResult of box stub run. +- **UpdateAssistantBoxStubInstallationProgram** The path to the installation folder. +- **UpdateAssistantBoxStubUiType** UI type of box stub run. +- **UpdateAssistantVersion** The version of Update Assistant application for this run. + + ### Microsoft.Windows.UpdateHealthTools.ExpediteDetectionStarted This event indicates that the detection phase of USO has started. The data collected with this event is used to help keep Windows secure and up to date. @@ -5588,6 +6156,7 @@ The following fields are available: - **ExpeditePolicyId** The policy ID of the expedite request. - **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. - **ExpediteUpdatesInProgress** List of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. - **ExpediteUsoLastError** The last error returned by USO. - **GlobalEventCounter** Counts the number of events for this provider. - **PackageVersion** The package version label. @@ -5603,6 +6172,7 @@ The following fields are available: - **ExpeditePolicyId** The policy Id of the expedite request. - **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. - **ExpediteUpdatesInProgress** A list of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. - **ExpediteUsoLastError** The last error returned by USO. - **GlobalEventCounter** Counts the number of events for this provider. - **PackageVersion** The package version label. @@ -5618,6 +6188,7 @@ The following fields are available: - **ExpeditePolicyId** The policy ID of the expedite request. - **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. - **ExpediteUpdatesInProgress** List of update IDs in progress. +- **ExpediteUsoCorrelationVector** The correlation vector for the current USO session. - **ExpediteUsoLastError** The last error returned by USO. - **GlobalEventCounter** Counts the number of events for this provider. - **PackageVersion** The package version label. @@ -5683,6 +6254,7 @@ The following fields are available: - **ExpeditePolicyId** The policy ID of the expedite request. - **ExpediteUpdaterOfferedUpdateId** UpdateId of the LCU expected to be expedited. - **ExpediteUpdatesInProgress** Comma delimited list of update IDs currently being offered. +- **ExpediteUsoCorrelationVector** The correlation vector from the USO session. - **ExpediteUsoLastError** Last HResult from the current USO session. - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of UpdateHealthTools. @@ -5725,6 +6297,7 @@ The following fields are available: - **ExpediteErrorBitMap** Bit map value for any error code. - **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy. - **ExpeditePolicyId** The policy Id of the expedite request. +- **ExpeditePollCount** Counts the number of polls. - **ExpediteResult** Boolean value for success or failure. - **ExpediteUpdaterCurrentUbr** The UBR of the device. - **ExpediteUpdaterExpectedUbr** The expected UBR of the device. @@ -5760,10 +6333,10 @@ The following fields are available: - **CV** The correlation vector. - **GlobalEventCounter** Counts the events at the global level for telemetry. - **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directory-joined. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directory joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. -- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory-joined. +- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory joined. - **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined. - **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined. - **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU. @@ -5778,8 +6351,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is managed by Windows Update for Business. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device ismanaged by Windows Update for Business. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -5930,90 +6503,6 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult - -This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation - -This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantAppFilePath** Path to Update Assistant app. -- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. -- **UpdateAssistantExeName** Exe name running as Update Assistant. -- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. -- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. -- **UpdateAssistantIsPushing** True if the update is pushing to the device. -- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. -- **UpdateAssistantOsVersion** Update Assistant OS Version. -- **UpdateAssistantPartnerId** Partner Id for Assistant application. -- **UpdateAssistantReportPath** Path to report for Update Assistant. -- **UpdateAssistantStartTime** Start time for UpdateAssistant. -- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. -- **UpdateAssistantUiType** The type of UI whether default or OOBE. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. -- **UpdateAssistantVersionInfo** Information about Update Assistant application. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty - -This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. -- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState - -This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. -- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat -- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. -- **UpdateAssistantStateDownloading** True at the start Downloading. -- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. -- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. -- **UpdateAssistantStateInstalling** True at the start of Installing. -- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. -- **UpdateAssistantStatePostInstall** True at the start of PostInstall. -- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update. -- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails - -This event provides details about user action. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. -- **UpdateAssistantUserActionHResult** HRESULT of user action. -- **UpdateAssistantUserActionState** State name user performed action on. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. ## Update events @@ -6036,7 +6525,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6053,7 +6542,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6098,7 +6587,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6120,7 +6609,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6162,6 +6651,7 @@ The UpdateAgentMerge event sends data on the merge phase when updating Windows. The following fields are available: +- **CancelRequested** A cancellation request happened. - **ErrorCode** The error code returned for the current merge phase. - **FlightId** Unique ID for each flight. - **MergeId** The unique ID to join two update sessions being merged. @@ -6221,7 +6711,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6237,7 +6727,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6255,7 +6745,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentPostRebootResult -This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6292,7 +6782,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6487,7 +6977,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -6624,7 +7114,7 @@ The following fields are available: ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -6869,6 +7359,20 @@ This event is sent when the Store Agent cache is refreshed with any available pa +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + ### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. @@ -7736,9 +8240,14 @@ This event sends launch data for a Windows Update scan to help keep Windows secu The following fields are available: +- **detectionBlockingPolicy** State of update action. - **detectionBlockreason** The reason detection did not complete. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The error code returned for the current process. - **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **interactive** Indicates whether the session was user initiated. +- **networkStatus** Error info +- **scanTriggerSource** Source of the triggered scan. - **updateScenarioType** Identifies the type of update session being performed. - **wuDeviceid** The unique device ID used by Windows Update. @@ -7995,7 +8504,7 @@ The following fields are available: - **updaterCmdLine** The command line requested by the updater. - **updaterId** The ID of the updater that requested the work. -- **wuDeviceid** WU device ID. +- **wuDeviceid** Windows Update device ID. ### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkNonSystem @@ -8058,6 +8567,17 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.Worker.EulaAccepted + +Indicates that EULA for an update has been accepted. + +The following fields are available: + +- **publisherIntent** Publisher Intent id associated with the update. +- **reason** Reason for EULA acceptance. +- **update** Update for which EULA has been accepted. See [update](#update). + + ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date. @@ -8149,6 +8669,61 @@ The following fields are available: - **wuDeviceid** Represents device ID. +### Microsoft.Windows.WindowsUpdate.PLUG.PLUGActivityEvaluate + +PLUG Scheduler has determined whether or not to execute an activity. + +The following fields are available: + +- **Name** The name of the activity. +- **WillExecute** True if PLUG has decided to execute the activity. + + +### Microsoft.Windows.WindowsUpdate.PLUG.PLUGActivityExecuteEnd + +PLUG Scheduler has executed an activity. + +The following fields are available: + +- **ExitCode** Exit code reported by activity process. +- **HRESULT** Result of activity execution. +- **Name** Name of activity being executed. + + +### Microsoft.Windows.WindowsUpdate.PLUG.PLUGActivityExecuteStart + +PLUG Scheduler is starting to execute an activity. + +The following fields are available: + +- **Name** The name of the activity being executed. + + +### Microsoft.Windows.WindowsUpdate.PLUG.PLUGSchedulerExit + +PLUG Scheduler (PLUGScheduler.exe) is about to exit. + + + +### Microsoft.Windows.WindowsUpdate.PLUG.PLUGSchedulerLaunch + +PLUG Scheduler (PLUGScheduler.exe) has just started to run. + +The following fields are available: + +- **CommandLine** The command line used to launch PLUG Scheduler. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.ICSEvaluateInteractionCampaign This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) finishes processing an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -8179,6 +8754,23 @@ The following fields are available: - **CommandLine** The command line used to launch RUXIMICS. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ETagValue** eTag for sync. +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + ### Microsoft.Windows.WindowsUpdate.RUXIM.IHEvaluateAndPresent This event is generated when the RUXIM Interaction Handler finishes evaluating, and possibly presenting an interaction campaign. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -8212,6 +8804,26 @@ The following fields are available: - **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. +### Microsoft.Windows.WindowsUpdate.RUXIM.LibStoredState + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) has read or written the stored state of an interaction campaign. + +The following fields are available: + +- **EvaluationCount** Number of times the interaction campaign has been evaluated. +- **InteractionCampaignID** The user interaction we processed. +- **IsChanged** True if the stored state has been modified in the registry (by creating it or by modifying one or more fields). +- **IsComplete** True if the interaction campaign is marked as complete. +- **IsNew** True if the stored state was not previously in the registry and was just initialized. +- **LastEvaluationTime** Last time the interaction campaign was evaluated. +- **LastPresentationTime** Last time the interaction campaign was presented. +- **PresentationCount** Number of times the interaction campaign has been presented. +- **ResultId** The result ID currently recorded for the interaction campaign. +- **StateCreationTime** Time the state was created. +- **StateModificationTime** Time the state was last modified. +- **ThrottlingRoll** Randomly generated throttling roll for the interaction campaign. + + ### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. @@ -8223,30 +8835,6 @@ The following fields are available: - **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. - **Result** Overall result generated by the evaluation. -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. - ## Windows Update mitigation events @@ -8291,7 +8879,7 @@ This event sends data specific to the CryptcatsvcRebuild mitigation used for OS The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** The unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationNeeded** Information on whether the mitigation was needed. @@ -8312,7 +8900,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8584,6 +9172,3 @@ The following fields are available: - **virtualMachineName** VM name. - **waitForClientConnection** True if we should wait for client connection. - **wp81NetworkStackDisabled** WP 8.1 networking stack disabled. - - - From 1c6a2337e6716fc90ff89034637dbea4d5716c1e Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 6 Oct 2022 14:42:15 -0700 Subject: [PATCH 071/106] fix broken links --- ...-diagnostic-data-events-and-fields-2004.md | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index a0f3e1e71d..188d765354 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -2471,8 +2471,7 @@ Fires at the beginning and end of the HVCI auto-enablement process in sysprep. The following fields are available: -- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. See [wilActivity](#wilactivity). - +- **wilActivity** Contains the thread ID used to match the begin and end events, and for the end event also a HResult indicating sucess or failure. ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanGetResultFailed @@ -2671,6 +2670,19 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. ## Component-based servicing events @@ -8212,7 +8224,7 @@ This event measures overall health of UpdateOrchestrator. The data collected wit The following fields are available: -- **wilActivity** This struct provides a Windows Internal Library context used for Product and Service diagnostics. See [wilActivity](#wilactivity). +- **wilActivity** This struct provides a Windows Internal Library context used for Product and Service diagnostics. ### Microsoft.Windows.Update.Orchestrator.DeferRestart @@ -8269,7 +8281,7 @@ The following fields are available: - **seekerUpdateIdList** The list of “seeker” update identifiers. - **seekerUpdateList** The list of “seeker” updates. - **services** The list of services that were called during update. -- **wilActivity** The activity results. See [wilActivity](#wilactivity). +- **wilActivity** The activity results. ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded @@ -8575,7 +8587,7 @@ The following fields are available: - **publisherIntent** Publisher Intent id associated with the update. - **reason** Reason for EULA acceptance. -- **update** Update for which EULA has been accepted. See [update](#update). +- **update** Update for which EULA has been accepted. ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState From 12a35e9c2935dfb2f5ba2658c10632ea9eb3d10c Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 6 Oct 2022 14:54:19 -0700 Subject: [PATCH 072/106] Fix broken links --- ...required-windows-diagnostic-data-events-and-fields-2004.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 188d765354..9f581301c5 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1929,7 +1929,7 @@ The following fields are available: - **JackSubType** A unique ID representing the KS node type of the endpoint. - **localEffectClsid** The COM Class Identifier (CLSID) for the legacy local effect audio processing object. - **localEffectModule** Module name for the legacy local effect audio processing object. -- **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. See [MicArrayGeometry](#micarraygeometry). +- **MicArrayGeometry** Describes the microphone array, including the microphone position, coordinates, type, and frequency range. - **modeEffectClsid** The COM Class Identifier (CLSID) for the mode effect audio processing object. - **modeEffectModule** Module name for the mode effect audio processing object. - **persistentId** A unique ID for this endpoint which is retained across migrations. @@ -3601,7 +3601,7 @@ The following fields are available: - **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion. - **PackageVersion** Windows Mixed Reality Portal app package version. - **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state. -- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. See [wilActivity](#wilactivity). +- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. ### Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming From d4f21906e3117b4fa359bddc165c212cf086a40c Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 6 Oct 2022 15:33:39 -0700 Subject: [PATCH 073/106] Various changes Crosslinks Metadata (ms.topic) TOC --- .../privacy/Microsoft-DiagnosticDataViewer.md | 4 ++-- ...-windows-diagnostic-events-and-fields-1703.md | 4 ++-- ...-windows-diagnostic-events-and-fields-1709.md | 4 ++-- ...-windows-diagnostic-events-and-fields-1803.md | 4 ++-- ...-windows-diagnostic-events-and-fields-1809.md | 4 ++-- ...-windows-diagnostic-events-and-fields-1903.md | 4 ++-- ...nges-to-windows-diagnostic-data-collection.md | 4 ++-- ...ndows-diagnostic-data-in-your-organization.md | 2 +- .../privacy/diagnostic-data-viewer-overview.md | 5 +++-- ...c-data-windows-analytics-events-and-fields.md | 2 +- ...sential-services-and-connected-experiences.md | 2 +- ...components-to-microsoft-services-using-MDM.md | 1 + ...ng-system-components-to-microsoft-services.md | 2 +- windows/privacy/manage-windows-11-endpoints.md | 2 +- windows/privacy/manage-windows-1809-endpoints.md | 2 +- windows/privacy/manage-windows-1903-endpoints.md | 2 +- windows/privacy/manage-windows-1909-endpoints.md | 2 +- windows/privacy/manage-windows-2004-endpoints.md | 2 +- windows/privacy/manage-windows-20H2-endpoints.md | 2 +- windows/privacy/manage-windows-21H1-endpoints.md | 2 +- windows/privacy/manage-windows-21h2-endpoints.md | 2 +- ...d-diagnostic-events-fields-windows-11-22H2.md | 4 ++-- ...ed-windows-11-diagnostic-events-and-fields.md | 5 ++--- ...ows-diagnostic-data-events-and-fields-2004.md | 2 +- windows/privacy/toc.yml | 16 ++++++++-------- .../privacy/windows-10-and-privacy-compliance.md | 2 +- ...ndows-11-endpoints-non-enterprise-editions.md | 2 +- windows/privacy/windows-diagnostic-data-1703.md | 2 +- windows/privacy/windows-diagnostic-data.md | 6 ++++-- ...ows-endpoints-1809-non-enterprise-editions.md | 2 +- ...ows-endpoints-1903-non-enterprise-editions.md | 2 +- ...ows-endpoints-1909-non-enterprise-editions.md | 2 +- ...ows-endpoints-2004-non-enterprise-editions.md | 2 +- ...ows-endpoints-20H2-non-enterprise-editions.md | 2 +- ...ows-endpoints-21H1-non-enterprise-editions.md | 2 +- 35 files changed, 56 insertions(+), 53 deletions(-) diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 6638ac61ee..c7c58e1c97 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -7,14 +7,14 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: how-to --- # Diagnostic Data Viewer for PowerShell Overview **Applies to** -- Windows 11 +- Windows 11, version 21H2 and later - Windows 10, version 1803 and later - Windows Server, version 1803 - Windows Server 2019 diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index dc91f14e6e..03855eca31 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -7,7 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- @@ -28,7 +28,7 @@ You can learn more about Windows functional and diagnostic data through these ar - [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index b26fc08415..89a23fc158 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -7,7 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- @@ -28,7 +28,7 @@ You can learn more about Windows functional and diagnostic data through these ar - [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 83e1ec0e93..d2d72305ee 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -7,7 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- @@ -28,7 +28,7 @@ You can learn more about Windows functional and diagnostic data through these ar - [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 07d84632ac..f49ab2e417 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -7,7 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- @@ -27,7 +27,7 @@ You can learn more about Windows functional and diagnostic data through these ar - [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index f48fe3e2dd..83e9f90c58 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -7,7 +7,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- @@ -29,7 +29,7 @@ You can learn more about Windows functional and diagnostic data through these ar - [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 4495bae43a..8011162d4a 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -7,13 +7,13 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: conceptual --- # Changes to Windows diagnostic data collection **Applies to** -- Windows 11 +- Windows 11, version 21H2 and later - Windows 10, version 1903 and later - Windows Server 2022 diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 9d0a698060..9f8d707703 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -8,7 +8,7 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.collection: highpri -ms.topic: article +ms.topic: conceptual --- # Configure Windows diagnostic data in your organization diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 4a768201a7..122f0717a3 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -8,14 +8,15 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.collection: highpri -ms.topic: article +ms.topic: how-to --- # Diagnostic Data Viewer Overview **Applies to** -- Windows 10, version 1803 and later and Windows 11 +- Windows 11, version 21H2 and later +- Windows 10, version 1803 and later ## Introduction diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 982a48f7f5..e4880b26b9 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 56f401b3c6..1fdd101d8f 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -8,7 +8,7 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.collection: highpri - +ms.topic: reference --- # Essential services and connected experiences for Windows diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index b06310788f..d3e9576785 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -7,6 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby +ms.topic: conceptual --- # Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services using Microsoft Intune MDM Server diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index ee631755a6..f1c14f475f 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -8,7 +8,7 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.collection: highpri -ms.topic: article +ms.topic: conceptual --- # Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md index 1633afaa86..9de85e40cf 100644 --- a/windows/privacy/manage-windows-11-endpoints.md +++ b/windows/privacy/manage-windows-11-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 11 Enterprise diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 4ce066cee1..0bd15bbb50 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 1809 diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index b9574d92f2..20e9fec7fb 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 1903 diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index a8ed4e5e01..bfbd385697 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 1909 diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md index 58dda9f87d..a95f038a8d 100644 --- a/windows/privacy/manage-windows-2004-endpoints.md +++ b/windows/privacy/manage-windows-2004-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 2004 diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md index a4b5c3dcc6..c292c6f1ed 100644 --- a/windows/privacy/manage-windows-20H2-endpoints.md +++ b/windows/privacy/manage-windows-20H2-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 20H2 diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md index 753fad6ce5..0e47b473b6 100644 --- a/windows/privacy/manage-windows-21H1-endpoints.md +++ b/windows/privacy/manage-windows-21H1-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 21H1 diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md index f07efac32e..49eb5a3b58 100644 --- a/windows/privacy/manage-windows-21h2-endpoints.md +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Manage connection endpoints for Windows 10 Enterprise, version 21H2 diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md index f965b48765..1665c4605a 100644 --- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -8,7 +8,7 @@ localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- @@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index ec6574f029..3deb6ead41 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -8,8 +8,7 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.collection: highpri -ms.topic: article - +ms.topic: reference --- @@ -29,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) -- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 9f581301c5..1fba0d455b 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -8,7 +8,7 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.collection: highpri -ms.topic: article +ms.topic: reference --- diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index cca1091e48..fd217ff56e 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -15,21 +15,21 @@ href: Microsoft-DiagnosticDataViewer.md - name: Required Windows diagnostic data events and fields items: - - name: Windows 11, version 22H2 required diagnostic events and fields + - name: Windows 11: version 22H2 href: required-diagnostic-events-fields-windows-11-22H2.md - - name: Windows 11, version 21H2 required diagnostic events and fields + - name: Windows 11: version 21H2 href: required-windows-11-diagnostic-events-and-fields.md - - name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields + - name: Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004 href: required-windows-diagnostic-data-events-and-fields-2004.md - - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields + - name: Windows 10: versions 1909 and 1903 href: basic-level-windows-diagnostic-events-and-fields-1903.md - - name: Windows 10, version 1809 required Windows diagnostic events and fields + - name: Windows 10: version 1809 href: basic-level-windows-diagnostic-events-and-fields-1809.md - - name: Windows 10, version 1803 required Windows diagnostic events and fields + - name: Windows 10: version 1803 href: basic-level-windows-diagnostic-events-and-fields-1803.md - - name: Windows 10, version 1709 required Windows diagnostic events and fields + - name: Windows 10: version 1709 href: basic-level-windows-diagnostic-events-and-fields-1709.md - - name: Windows 10, version 1703 required Windows diagnostic events and fields + - name: Windows 10: version 1703 href: basic-level-windows-diagnostic-events-and-fields-1703.md - name: Optional Windows diagnostic data events and fields items: diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index e3c49d3cbd..2e65697d6a 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: conceptual --- # Windows Privacy Compliance:
    A Guide for IT and Compliance Professionals diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md index c39555ffe6..480e474f63 100644 --- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md +++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 11 connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md index 5ce38f257d..f4777d4afa 100644 --- a/windows/privacy/windows-diagnostic-data-1703.md +++ b/windows/privacy/windows-diagnostic-data-1703.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 10 diagnostic data for the Full diagnostic data level diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index eac9f2f9b7..04381116ab 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -8,13 +8,15 @@ author: DHB-MSFT ms.author: danbrown manager: dougeby ms.collection: highpri -ms.topic: article +ms.topic: reference --- # Windows 10, version 1709 and later and Windows 11 optional diagnostic data Applies to: -- Windows 11 +- Windows 11, version 22H2 +- Windows 11, version 21H2 +- Windows 10, version 22H2 - Windows 10, version 21H2 - Windows 10, version 21H1 - Windows 10, version 20H2 diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md index b57dba81f4..692ea4127b 100644 --- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 10, version 1809, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md index c062520432..cffad0f0e4 100644 --- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 10, version 1903, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 514d815a7b..364bbda151 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 10, version 1909, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md index 97a017647b..72c2c99868 100644 --- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 10, version 2004, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md index e60e1d97e7..a909428902 100644 --- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 10, version 20H2, connection endpoints for non-Enterprise editions diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md index f48389c056..379e4110bc 100644 --- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md @@ -7,7 +7,7 @@ ms.localizationpriority: high author: DHB-MSFT ms.author: danbrown manager: dougeby -ms.topic: article +ms.topic: reference --- # Windows 10, version 21H1, connection endpoints for non-Enterprise editions From 1c70d5ddc53d128b939b7e85213ce7cc7c6d7050 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 6 Oct 2022 15:49:26 -0700 Subject: [PATCH 074/106] TOC update --- windows/privacy/toc.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index fd217ff56e..295d4bf26f 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -15,21 +15,21 @@ href: Microsoft-DiagnosticDataViewer.md - name: Required Windows diagnostic data events and fields items: - - name: Windows 11: version 22H2 + - name: Windows 11, version 22H2 href: required-diagnostic-events-fields-windows-11-22H2.md - - name: Windows 11: version 21H2 + - name: Windows 11, version 21H2 href: required-windows-11-diagnostic-events-and-fields.md - - name: Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004 + - name: Windows 10, versions 22H2, 21H2, 21H1, 20H2, and 2004 href: required-windows-diagnostic-data-events-and-fields-2004.md - - name: Windows 10: versions 1909 and 1903 + - name: Windows 10, versions 1909 and 1903 href: basic-level-windows-diagnostic-events-and-fields-1903.md - - name: Windows 10: version 1809 + - name: Windows 10, version 1809 href: basic-level-windows-diagnostic-events-and-fields-1809.md - - name: Windows 10: version 1803 + - name: Windows 10, version 1803 href: basic-level-windows-diagnostic-events-and-fields-1803.md - - name: Windows 10: version 1709 + - name: Windows 10, version 1709 href: basic-level-windows-diagnostic-events-and-fields-1709.md - - name: Windows 10: version 1703 + - name: Windows 10, version 1703 href: basic-level-windows-diagnostic-events-and-fields-1703.md - name: Optional Windows diagnostic data events and fields items: From 3aaac9b0f5532fe4fda392c248b88bb74070681e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 7 Oct 2022 12:10:54 +0530 Subject: [PATCH 075/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md --- ...e-your-organization-for-bitlocker-planning-and-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index ded42ee1ee..1cb9dbb802 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -1,6 +1,6 @@ --- title: Prepare your organization for BitLocker Planning and policies (Windows 10) -description: This topic for the IT professional explains how can you plan your BitLocker deployment. +description: This article for the IT professional explains how can you plan your BitLocker deployment. ms.reviewer: ms.prod: m365-security ms.localizationpriority: medium @@ -23,7 +23,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional explains how to plan BitLocker deployment. +This article for the IT professional explains how to plan BitLocker deployment. When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems. From 8b1c3c1b2431db480857cded47c6750928a62c5f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 7 Oct 2022 15:30:52 +0530 Subject: [PATCH 076/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index afa604d207..1507661978 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -18,7 +18,7 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. +This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker. BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume. From 4870d8c6a327002e554ca8fc1dd8d92e244a83ef Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Mon, 10 Oct 2022 11:19:02 -0700 Subject: [PATCH 077/106] Change loc pri to medium --- .../basic-level-windows-diagnostic-events-and-fields-1703.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1709.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1803.md | 2 +- .../basic-level-windows-diagnostic-events-and-fields-1903.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 03855eca31..ad82dd742d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -3,7 +3,7 @@ description: Learn more about the Windows 10, version 1703 diagnostic data gathe title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10) ms.prod: windows-client ms.technology: itpro-privacy -localizationpriority: high +localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 89a23fc158..08d84ce2f3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3,7 +3,7 @@ description: Learn more about the Windows 10, version 1709 diagnostic data gathe title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) ms.prod: windows-client ms.technology: itpro-privacy -localizationpriority: high +localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index d2d72305ee..82c0da11c8 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -3,7 +3,7 @@ description: Learn more about the Windows 10, version 1803 diagnostic data gathe title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10) ms.prod: windows-client ms.technology: itpro-privacy -localizationpriority: high +localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 83e9f90c58..0511791230 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -3,7 +3,7 @@ description: Learn more about the Windows 10, version 1903 diagnostic data gathe title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10) ms.prod: windows-client ms.technology: itpro-privacy -localizationpriority: high +localizationpriority: medium author: DHB-MSFT ms.author: danbrown manager: dougeby From 0d539d611a2301671e70395834c16a57d5a8440d Mon Sep 17 00:00:00 2001 From: rpertusio Date: Tue, 11 Oct 2022 04:58:09 -0400 Subject: [PATCH 078/106] Improperly escaped characters in Get-WmiObject command Several escape characters made their way to the final documentation. I've stripped them. --- windows/deployment/update/deployment-service-troubleshoot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md index aa89b4a23a..ce4c794db0 100644 --- a/windows/deployment/update/deployment-service-troubleshoot.md +++ b/windows/deployment/update/deployment-service-troubleshoot.md @@ -29,7 +29,7 @@ This troubleshooting guide addresses the most common issues that IT administrato - Check that the deployment to which the device is assigned has the state *offering*. Deployments that have the states *paused* or *scheduled* won't deploy content to devices. - Check that the device has scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates). - **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors. -- **Expedited quality updates only**: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in [KB 4023057 - Update for Windows 10 Update Service components](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a), or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at **C:\\Program Files\\Microsoft Update Health Tools**. You can verify its presence by reviewing **Add or Remove Programs** or using the following PowerShell script: `Get-WmiObject -Class Win32\_Product \| Where-Object {$\_.Name -amatch "Microsoft Update Health Tools"}`. +- **Expedited quality updates only**: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in [KB 4023057 - Update for Windows 10 Update Service components](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a), or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at **C:\\Program Files\\Microsoft Update Health Tools**. You can verify its presence by reviewing **Add or Remove Programs** or using the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`. ## The device is receiving an update that I didn't deploy From 0f58ba9da660cf6e9dcfbd7500a1f390debda6b2 Mon Sep 17 00:00:00 2001 From: Yuta Honda Date: Thu, 13 Oct 2022 12:38:40 +0900 Subject: [PATCH 079/106] Update network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md it seems typo. SMB replay > SMB relay --- ...ity-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 57d8b13de1..7d0fc400c1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -94,7 +94,7 @@ There are no security audit event policies that can be configured to view event This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability From c53c06a32b3399f203aec058014d810bcb590584 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 17 Oct 2022 18:45:34 +0530 Subject: [PATCH 080/106] added greater than symbol as per user report #10866 10866 so i added the symbol --- windows/client-management/mdm/policy-csp-applicationdefaults.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 70e57eef1e..25977a168b 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -93,7 +93,7 @@ Here's an example output from the dism default association export command: - ``` Here's the base64 encoded result: From e507af5f44bf46396a7bb451712e23c12b72e58d Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 17 Oct 2022 18:59:40 +0530 Subject: [PATCH 081/106] added line break as per user report #10894 , so i added two line breaks --- ...ecurity-configure-encryption-types-allowed-for-kerberos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index 52e8eb78fa..072dcec34e 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -39,8 +39,8 @@ The following table lists and explains the allowed encryption types. | DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. | | DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. | | RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.| -| AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | -| AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | +| AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003.
    Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | +| AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003.
    Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | | Future encryption types| Reserved by Microsoft for other encryption types that might be implemented.| ### Possible values From 924377028036b75c5aaca75d264413a7effe2425 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 17 Oct 2022 19:16:33 +0530 Subject: [PATCH 082/106] added word updates as per user report #10910 , so i added word **updates** --- .../client-management/mdm/policy-csp-update.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 23dd80dc02..e384c8beed 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -206,16 +206,16 @@ ms.collection: highpri Update/SetEDURestart
    - Update/SetPolicyDrivenUpdateSourceForDriver + Update/SetPolicyDrivenUpdateSourceForDriverUpdates
    - Update/SetPolicyDrivenUpdateSourceForFeature + Update/SetPolicyDrivenUpdateSourceForFeatureUpdates
    - Update/SetPolicyDrivenUpdateSourceForOther + Update/SetPolicyDrivenUpdateSourceForOtherUpdates
    - Update/SetPolicyDrivenUpdateSourceForQuality + Update/SetPolicyDrivenUpdateSourceForQualityUpdates
    Update/SetProxyBehaviorForUpdateDetection @@ -3527,7 +3527,7 @@ The following list shows the supported values:
    -**Update/SetPolicyDrivenUpdateSourceForDriverUpdates** +**Update/SetPolicyDrivenUpdateSourceForDriverUpdates** The table below shows the applicability of Windows: @@ -3585,7 +3585,7 @@ The following list shows the supported values:
    -**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates** +**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates** The table below shows the applicability of Windows: @@ -3643,7 +3643,7 @@ The following list shows the supported values:
    -**Update/SetPolicyDrivenUpdateSourceForOtherUpdates** +**Update/SetPolicyDrivenUpdateSourceForOtherUpdates** The table below shows the applicability of Windows: @@ -3701,7 +3701,7 @@ The following list shows the supported values:
    -**Update/SetPolicyDrivenUpdateSourceForQualityUpdates** +**Update/SetPolicyDrivenUpdateSourceForQualityUpdates** The table below shows the applicability of Windows: From b974f4f0eee7411dfb3b856621acf545c9aba4ab Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Mon, 17 Oct 2022 15:58:05 -0700 Subject: [PATCH 083/106] add error found and fixed example --- windows/deployment/upgrade/quick-fixes.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index efd7119b31..681bdcc658 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -134,7 +134,7 @@ To check and repair system files: 4. If you are prompted by UAC, click **Yes**. -5. Type **sfc /scannow** and press ENTER. See the following example: +5. Type **sfc /scannow** and press ENTER. See the following examples: ```console C:\>sfc /scannow @@ -146,6 +146,20 @@ To check and repair system files: Windows Resource Protection did not find any integrity violations. ``` + + ```console + C:\>sfc /scannow + + Beginning system scan. This process will take some time. + + Beginning verification phase of system scan. + Verification 100% complete. + + Windows Resource Protection found corrupt files and successfully repaired them. + For online repairs, details are included in the CBS log file located at + windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline + repairs, details are included in the log file provided by the /OFFLOGFILE flag. + ``` 6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example: ```console From 67280d17a60d6db267de55339d85ff7db1771450 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 18 Oct 2022 15:29:38 +0530 Subject: [PATCH 084/106] added win 10 21h2 v2 admx link after this article, I found the 21h2 v2 link is missing, so i added it. This is my own PR --- ...-a-windows-10-device-automatically-using-group-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 6395d0f9f3..77ead2bc40 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -194,7 +194,7 @@ Requirements: - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)](https://www.microsoft.com/download/103667) + - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) 2. Install the package on the Domain Controller. @@ -215,7 +215,7 @@ Requirements: - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update (21H2)** + - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. @@ -305,7 +305,7 @@ To collect Event Viewer logs: ### Useful Links -- [Windows 10 Administrative Templates for Windows 10 November 2021 Update 21H2](https://www.microsoft.com/download/103667) +- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) From 70d7b822cb361ab506a7af46b4b32ec11b680410 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 18 Oct 2022 12:50:54 -0400 Subject: [PATCH 085/106] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7d29e6b435..1dda28b5c8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -9132,16 +9132,16 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC Update/SetEDURestart
    - Update/SetPolicyDrivenUpdateSourceForDriver + Update/SetPolicyDrivenUpdateSourceForDriverUpdates
    - Update/SetPolicyDrivenUpdateSourceForFeature + Update/SetPolicyDrivenUpdateSourceForFeatureUpdates
    - Update/SetPolicyDrivenUpdateSourceForOther + Update/SetPolicyDrivenUpdateSourceForOtherUpdates
    - Update/SetPolicyDrivenUpdateSourceForQuality + Update/SetPolicyDrivenUpdateSourceForQualityUpdates
    Update/SetProxyBehaviorForUpdateDetection From e5d13545884cc81604ea48883a9f5e07cc540b8b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 18 Oct 2022 12:52:09 -0400 Subject: [PATCH 086/106] Update deploy-wdac-policies-with-script.md --- .../deployment/deploy-wdac-policies-with-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 6a678ee2ee..007bb11ae6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -82,7 +82,7 @@ You should now have one or more WDAC policies converted into binary form. If not ## Deploying signed policies -If you are using [signed WDAC policies](windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. +If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: From c9bb394fc77dff267239d9e6474143e9dae0af3e Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 18 Oct 2022 10:33:03 -0700 Subject: [PATCH 087/106] Update MDM link --- .../privacy/essential-services-and-connected-experiences.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 1fdd101d8f..cac24b1acb 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -44,7 +44,8 @@ Although enterprise admins can turn off most essential services, we recommend, w | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| -|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm/) | +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview) | + ## Windows connected experiences | **Connected experience** | **Description** | From d36c563b2c166e3a87d7fcc443461f4812ef14fa Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 18 Oct 2022 10:43:52 -0700 Subject: [PATCH 088/106] Fix link issue --- windows/privacy/essential-services-and-connected-experiences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index cac24b1acb..4c1c6a275d 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| -|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview) | +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview.md) | ## Windows connected experiences From 350fb216fb47bf242da40b85cc9b195d52d884b8 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Tue, 18 Oct 2022 10:55:26 -0700 Subject: [PATCH 089/106] Change MDM link info --- windows/privacy/essential-services-and-connected-experiences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 4c1c6a275d..cac24b1acb 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| -|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview.md) | +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview) | ## Windows connected experiences From ee37385885633c73b62ff700c2adadae7473b918 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:33:09 -0600 Subject: [PATCH 090/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/e6801d00-ac9e-46c8-8b26-370e2dfa083a#CORRECTNESS Line 78: you're > you'll Line 151: only > just Line 186: Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. > Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. --- ...your-organization-for-bitlocker-planning-and-policies.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index c4962bf5cd..c3e1167342 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -75,7 +75,7 @@ On computers that don't have a TPM version 1.2 or higher, you can still use Bit **Will you support computers without TPM version 1.2 or higher?** -Determine if you're support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. +Determine if you'll support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. **What areas of your organization need a baseline level of data protection?** @@ -148,7 +148,7 @@ The BitLocker Setup wizard provides administrators the ability to choose the Use Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. -With Used Disk Space Only, only the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. +With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use. @@ -183,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. +- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From f9ce39eb536a3d9b73856ee06b8ff8b75bfaf1d9 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:40:13 -0600 Subject: [PATCH 091/106] Update windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md This sentence might be confusing. Maybe these commas would help? --- ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index c3e1167342..4095417001 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -183,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. +- Recovery unlock, using the FIPS-compliant, algorithm-based recovery password protector, works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From d75c01535795957c1098d75a6cc2c6c7a9f478ce Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:46:14 -0600 Subject: [PATCH 092/106] Update bitlocker-countermeasures.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/cfaa7d44-e8a7-4281-924f-33dcd42ad82f#CORRECTNESS Line 85: a standard sign in > a standard sign-in Line 87: the user enter > the user enters Line 133: physically-present > physically present (Suggestion: An attacker who is physically present...) --- .../bitlocker/bitlocker-countermeasures.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 5270498276..68889e3dcd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -82,9 +82,9 @@ This helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: -- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. +- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key. -- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. +- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required. In the following group policy example, TPM + PIN is required to unlock an operating system drive: @@ -130,7 +130,7 @@ This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits -A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. +A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. This is the default configuration. From c013cf51314df99340864ce636b47f32014b08a2 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:48:11 -0600 Subject: [PATCH 093/106] Update bitlocker-recovery-guide-plan.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/2b6b5714-3222-4576-ac40-82f45f656a17#CORRECTNESS Line 475: Backup >Back up --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 34a2bde95f..2d622dbe34 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -472,7 +472,7 @@ You can reset the recovery password in two ways: ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS. +4. Back up the new recovery password to AD DS. ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} From 1cbedb5204a84c6dabf258fbeed40c4e2785fbeb Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 14:51:56 -0600 Subject: [PATCH 094/106] Update prepare-your-organization-for-bitlocker-planning-and-policies.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/abe1d71a-f2e5-4c62-bb68-030266f1f300#CORRECTNESS Line 78: you're > you'll Line 151: Space Only, only > Space Only, just Line 186: - Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. > - Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. --- ...your-organization-for-bitlocker-planning-and-policies.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index c4962bf5cd..c3e1167342 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -75,7 +75,7 @@ On computers that don't have a TPM version 1.2 or higher, you can still use Bit **Will you support computers without TPM version 1.2 or higher?** -Determine if you're support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. +Determine if you'll support computers that don't have a TPM version 1.2 or higher. If you support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication. **What areas of your organization need a baseline level of data protection?** @@ -148,7 +148,7 @@ The BitLocker Setup wizard provides administrators the ability to choose the Use Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption. -With Used Disk Space Only, only the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. +With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive. With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use. @@ -183,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled: - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm. - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems. -- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords. +- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords. - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode. - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode. From 81d0e59f9cfd257e38bab217a6371045c1e37a98 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:05:20 -0600 Subject: [PATCH 095/106] Update protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md Line 39: don''t > don't --- ...-shared-volumes-and-storage-area-networks-with-bitlocker.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 5e52289f83..ecd80d741d 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -36,7 +36,7 @@ Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded - It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool - It must put the resource into maintenance mode before BitLocker operations are completed. -Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don''t appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. +Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. > [!NOTE] > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption. @@ -202,4 +202,3 @@ Some other considerations to take into account for BitLocker on clustered storag - If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster. - If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance. - If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode. - From 53344faa94016544a05f7cc46612cebc61b8c942 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:18:35 -0600 Subject: [PATCH 096/106] Update windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md Line 36: Replace hyphen with emdash and add period. --- ...r-shared-volumes-and-storage-area-networks-with-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ecd80d741d..a20558db31 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -33,7 +33,7 @@ Volumes within a cluster are managed with the help of BitLocker based on how the Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks: -- It must turn on BitLocker - Only after this task is done, the volumes can be added into the storage pool +- It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool. - It must put the resource into maintenance mode before BitLocker operations are completed. Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item. From 8f1602a8f9ec8f9ec0b8051345aecf57accf4f01 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Tue, 18 Oct 2022 14:33:07 -0700 Subject: [PATCH 097/106] 37747389 - Changing max file version of LIBNICM driver --- .../microsoft-recommended-driver-block-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 60c69d5e81..42ad4cc7e2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -769,7 +769,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + From b6a2c50d732534ce2a634fb4d901b2bebf80ad97 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 18 Oct 2022 15:55:54 -0600 Subject: [PATCH 098/106] Apply suggestions from code review Lines 55-58: Separate lines in step items. --- ...-shared-volumes-and-storage-area-networks-with-bitlocker.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index a20558db31..8a767976cc 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -53,8 +53,11 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote 1. Clear key 2. Driver-based auto-unlock key 3. **ADAccountOrGroup** protector + a. Service context protector + b. User protector + 4. Registry-based auto-unlock key > [!NOTE] From 470dbff85cef133da0e34c715ffeda79435e2dd2 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 19 Oct 2022 15:09:07 +0530 Subject: [PATCH 099/106] Update essential-services-and-connected-experiences.md --- windows/privacy/essential-services-and-connected-experiences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index cac24b1acb..70a53c988b 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| -|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview) | +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview.md#mobile-device-management-overview) | ## Windows connected experiences From 1c6dfd795ac57334d9a9e3531c507b351a3f640f Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 19 Oct 2022 15:15:51 +0530 Subject: [PATCH 100/106] Update essential-services-and-connected-experiences.md --- windows/privacy/essential-services-and-connected-experiences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md index 70a53c988b..cac24b1acb 100644 --- a/windows/privacy/essential-services-and-connected-experiences.md +++ b/windows/privacy/essential-services-and-connected-experiences.md @@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft.

    To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).| | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats.

    Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date.

    To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).| | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps.

    To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).| -|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview.md#mobile-device-management-overview) | +|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.

    [Learn more about Mobile Device Management](../client-management/mdm-overview) | ## Windows connected experiences From 0d506dc8909fbf18f3e85471f0fa6d70f8b743ba Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 19 Oct 2022 09:26:54 -0400 Subject: [PATCH 101/106] removed #preview --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index e48d058b7b..a50d39c2dc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment (Preview)](./hello-hybrid-cloud-kerberos-trust.md). +> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](./hello-hybrid-cloud-kerberos-trust.md). The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. From b916f21df9e9f506c14bf4e5d21a2f80377508c7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 19 Oct 2022 09:37:08 -0400 Subject: [PATCH 102/106] [EDU] Metadata updates to docfx --- education/docfx.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/docfx.json b/education/docfx.json index e6749db811..df077d1783 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -30,8 +30,8 @@ "recommendations": true, "ms.topic": "article", "ms.collection": "education", - "ms.prod": "windows", - "ms.technology": "windows", + "ms.prod": "windows-client", + "ms.technology": "itpro-edu", "author": "paolomatarazzo", "ms.author": "paoloma", "manager": "aaroncz", From 6b591f5a960d8831cb32612f2b9e664b72026127 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 19 Oct 2022 12:12:36 -0400 Subject: [PATCH 103/106] Updated troubleshooting links --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 +- .../identity-protection/hello-for-business/hello-event-300.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 3a4f97b0d0..e878788c76 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -108,5 +108,5 @@ For errors listed in this table, contact Microsoft Support for assistance. - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) +- [Event ID 300 - Windows Hello successfully created](/troubleshoot/windows-client/user-profiles-and-logon/event-id-300-windows-hello-successfully-created-in-windows-10) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index 8fa58bce19..b0418e21c0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -41,5 +41,5 @@ This is a normal condition. No further action is required. - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) +- [Windows Hello errors during PIN creation](/troubleshoot/windows-client/user-profiles-and-logon/windows-hello-errors-during-pin-creation-in-windows-10) - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) From 9c42e429b39e675ef4fa2ca3239e3338914ecaea Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 19 Oct 2022 11:27:14 -0500 Subject: [PATCH 104/106] Update hello-errors-during-pin-creation.md --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index e878788c76..ec6b931e13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -69,7 +69,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.| +| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation From 1c5372cc1874f36b569b0e1b1fb9767fbb40af29 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 19 Oct 2022 10:35:40 -0700 Subject: [PATCH 105/106] breadcrumb file for redir project --- windows/deployment/breadcrumb/bread.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 windows/deployment/breadcrumb/bread.yml diff --git a/windows/deployment/breadcrumb/bread.yml b/windows/deployment/breadcrumb/bread.yml new file mode 100644 index 0000000000..a43252b7e8 --- /dev/null +++ b/windows/deployment/breadcrumb/bread.yml @@ -0,0 +1,12 @@ +items: +- name: Learn + tocHref: / + topicHref: / + items: + - name: Windows + tocHref: /troubleshoot/windows-client/ + topicHref: /windows/resources/ + items: + - name: Deployment + tocHref: /troubleshoot/windows-client/deployment/ + topicHref: /windows/deployment/ \ No newline at end of file From bbab23a08c4b34921f85575cfef144059feb2f08 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 19 Oct 2022 10:39:54 -0700 Subject: [PATCH 106/106] breadcrumb file for redir project --- windows/deployment/breadcrumb/{bread.yml => toc.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/deployment/breadcrumb/{bread.yml => toc.yml} (100%) diff --git a/windows/deployment/breadcrumb/bread.yml b/windows/deployment/breadcrumb/toc.yml similarity index 100% rename from windows/deployment/breadcrumb/bread.yml rename to windows/deployment/breadcrumb/toc.yml