From a280e290b43ad1a86e62440a4a1d8ceab1edfde2 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Wed, 5 Oct 2022 10:05:58 -0700 Subject: [PATCH] Update events section --- ...ndows-diagnostic-events-and-fields-1703.md | 159 ++++++++---------- 1 file changed, 67 insertions(+), 92 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 84a10ffdbb..f5dfb0b57d 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -8,8 +8,6 @@ ms.author: danbrown manager: dougeby ms.collection: M365-security-compliance ms.topic: article -ms.date: 11/29/2021 -ms.reviewer: ms.technology: privacy --- @@ -29,7 +27,8 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) - [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) @@ -1213,7 +1212,7 @@ The following fields are available: - **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. - **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. - **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. -- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. - **RunResult** The hresult of the Appraiser diagnostic data run. - **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. - **StoreHandleIsNotNull** Obsolete, always set to false @@ -1284,10 +1283,10 @@ This event sends type and capacity data about the battery on the device, as well The following fields are available: - **InternalBatteryCapablities** Represents information about what the battery is capable of doing. -- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. - **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. - **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. -- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected. Boolean value. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. ### Census.Enterprise @@ -1299,19 +1298,19 @@ The following fields are available: - **AzureOSIDPresent** Represents the field used to identify an Azure machine. - **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. - **CDJType** Represents the type of cloud domain joined for the machine. -- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. - **ContainerType** The type of container, such as process or virtual machine hosted. - **HashedDomain** The hashed representation of the user domain used for login. -- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (Azure AD) tenant? true/false +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false - **IsDERequirementMet** Represents if the device can do device encryption. - **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption - **IsDomainJoined** Indicates whether a machine is joined to a domain. - **IsEDPEnabled** Represents if Enterprise data protected on the device. - **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. - **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID -- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment. -- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. -- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier. +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier. ### Census.Firmware @@ -1432,7 +1431,7 @@ The following fields are available: - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. - **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. @@ -1486,7 +1485,7 @@ The following fields are available: - **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. - **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). - **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. -- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities. - **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. - **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. @@ -1579,9 +1578,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -1818,7 +1817,7 @@ The following fields are available: - **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp. - **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to. -- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc. +- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.. - **placementId** Name of surface, such as LockScreen or Start. @@ -1866,7 +1865,6 @@ The following fields are available: - **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats. - **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry). - **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations. -- **CanPerformScripting** True if UTC is allowed to perform scripting. - **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions. - **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events. - **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed. @@ -1882,10 +1880,9 @@ The following fields are available: - **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups. - **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism. - **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA. -- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. - **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry). - **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations. -- **CanPerformScripting** True if UTC is allowed to perform scripting. - **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions. - **CanReportScenarios** True if we can report scenario completions, false otherwise. - **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started. @@ -1902,10 +1899,9 @@ The following fields are available: - **CensusStartTime** Returns timestamp corresponding to last successful census run. - **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. - **LastConnectivityLossTime** Retrieves the last time the device lost free network. -- **LastConntectivityLossTime** Retrieves the last time the device lost free network. - **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. - **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. -- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. ### TelClientSynthetic.HeartBeat_5 @@ -2129,12 +2125,12 @@ This event sends basic metadata about the starting point of uninstalling a featu ### Microsoft.Windows.HangReporting.AppHangEvent -This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. The following fields are available: - **AppName** The name of the app that has hung. -- **AppSessionGuid** GUID made up of process ID used as a correlation vector for process instances in the telemetry backend. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. - **AppVersion** The version of the app that has hung. - **PackageFullName** Store application identity. - **PackageRelativeAppId** Store application identity. @@ -2149,7 +2145,7 @@ The following fields are available: - **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. - **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. - **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. -- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative applicationIDof the package. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. ## Inventory events @@ -2700,24 +2696,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd - -This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove - -This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly. - - - -### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync - -This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. - - - ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. @@ -2840,8 +2818,8 @@ The following fields are available: - **BatteryCapacity** Maximum battery capacity in mWh - **BatteryCharge** Current battery charge as a percentage of total capacity - **BatteryDischarging** Flag indicating whether the battery is discharging or charging -- **BootId** Monotonically increasing boot ID, reset on upgrades. -- **BootTimeUTC** Boot time in UTC file time. +- **BootId** Monotonically increasing boot id, reset on upgrades. +- **BootTimeUTC** Boot time in UTC  file time. - **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot. - **LastStateTransition** The previous state transition on the device. - **LastStateTransitionSub** The previous state subtransition on the device. @@ -3135,7 +3113,7 @@ The following fields are available: - **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. - **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. - **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. -- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). - **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. - **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. - **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. @@ -3233,7 +3211,7 @@ The following fields are available: - **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. - **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. -- **ServiceHealthPlugin** The name of the Service Health plug-in. +- **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. - **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. @@ -3877,7 +3855,7 @@ This event sends basic metadata about the SetupPlatform update installation proc The following fields are available: -- **ActivityId** Provides a uniqueIDto correlate events that occur between a activity start event, and a stop event +- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event - **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.) - **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. - **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. @@ -3919,7 +3897,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, Azure AD, or Local +- **accountType** The type of account that was deleted. Example: AD, AAD, or Local - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). @@ -4038,7 +4016,7 @@ The following fields are available: - **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. - **DriverSyncPassPerformed** Were drivers scanned this time? - **EventInstanceID** A globally unique identifier for event instance. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **ExtendedMetadataCabUrl** Hostname that is used to download an update. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. @@ -4109,7 +4087,7 @@ The following fields are available: - **EventInstanceID** A globally unique identifier for event instance. - **EventScenario** State of call - **EventType** Possible values are "Child", "Bundle", or "Driver". -- **FlightId** The specificIDof the flight the device is getting +- **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update - **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. @@ -4155,13 +4133,13 @@ The following fields are available: - **Edition** Identifies the edition of Windows currently running on the device. - **EventInstanceID** A globally unique identifier for event instance. - **EventNamespaceID** The ID of the test events environment. -- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was canceled, succeeded, or failed. +- **EventScenario** Indicates the purpose for sending this event: whether because the software distribution just started downloading content; or whether it was cancelled, succeeded, or failed. - **EventType** Identifies the type of the event (Child, Bundle, or Driver). - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specificIDof the flight (pre-release build) the device is getting. +- **FlightId** The specific id of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. @@ -4183,7 +4161,7 @@ The following fields are available: - **RelatedCV** The Correlation Vector that was used before the most recent change to a new Correlation Vector. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** The revision number of the specified piece of content. -- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** A unique identifier for the service that the software distribution client is installing content for (Windows Update, Microsoft Store, etc). - **Setup360Phase** Identifies the active phase of the upgrade download if the current download is for an Operating System upgrade. - **ShippingMobileOperator** The mobile operator linked to the device when the device shipped. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4212,8 +4190,8 @@ The following fields are available: - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client - **ClientVersion** The version number of the software distribution client -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed -- **EventType** Possible values are "Child", "Bundle", "Release" or "Driver" +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough - **FileId** A hash that uniquely identifies a file - **FileName** Name of the downloaded file @@ -4242,10 +4220,10 @@ The following fields are available: - **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" - **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any - **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any -- **PowerState** Indicates the power state of the device at the time of heartbeat (DC, AC, Battery Saver, or Connected Standby) +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **ResumeCount** Number of times this active download has resumed from a suspended state -- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.) +- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SuspendCount** Number of times this active download has entered a suspended state - **SuspendReason** Last reason for why this active download entered a suspended state @@ -4276,12 +4254,12 @@ The following fields are available: - **DeviceModel** What is the device model. - **DeviceOEM** What OEM does this device belong to. - **DownloadPriority** The priority of the download activity. -- **DownloadScenarioId** A unique ID for a given download used to tie together Windows Update and DO events. +- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events. - **DriverPingBack** Contains information about the previous driver and system state. - **Edition** Indicates the edition of Windows being used. - **EventInstanceID** A globally unique identifier for event instance. -- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Canceled, Failed, etc. -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed. +- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **EventType** Possible values are Child, Bundle, or Driver. - **ExtendedErrorCode** The extended error code. - **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. @@ -4337,7 +4315,7 @@ This event sends data about the ability of Windows to discover the location of a The following fields are available: -- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed - **HResult** Indicates the result code of the event (success, cancellation, failure code HResult) - **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background - **NextExpirationTime** Indicates when the SLS cab expires @@ -4407,7 +4385,7 @@ The following fields are available: - **DeviceIsMdmManaged** This device is MDM managed. - **IsNetworkAvailable** If the device network is not available. - **IsNetworkMetered** If network is metered. -- **IsSccmManaged** This device is managed by Configuration Manager . +- **IsSccmManaged** This device is SCCM managed. - **NewlyInstalledOs** OS is newly installed quiet period. - **PausedByPolicy** Updates are paused by policy. - **RecoveredFromRS3** Previously recovered from RS3. @@ -4506,7 +4484,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgent_FellBackToCanonical -This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4531,7 +4509,7 @@ The following fields are available: - **FlightMetadata** Contains the FlightId and the build being flighted. - **ObjectId** Unique value for each Update Agent mode. - **RelatedCV** Correlation vector value generated from the latest USO scan. -- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled +- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled - **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate - **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). - **SessionId** Unique value for each Update Agent mode attempt . @@ -4548,7 +4526,7 @@ The following fields are available: - **FlightId** Unique ID for each flight. - **ObjectId** Unique value for each Update Agent mode. - **RelatedCV** Correlation vector value generated from the latest scan. -- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Canceled, 3 = Blocked, 4 = BlockCanceled +- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled - **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate - **SessionId** Unique value for each Update Agent mode attempt. - **UpdateId** Unique ID for each update. @@ -4604,7 +4582,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentCommit -This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4620,7 +4598,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentDownloadRequest -This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4651,7 +4629,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentExpand -This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4671,7 +4649,7 @@ The following fields are available: ### Update360Telemetry.UpdateAgentInitialize -This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4737,7 +4715,7 @@ This event sends a summary of all the update agent mitigations available for an ### Update360Telemetry.UpdateAgentModeStart -This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4753,13 +4731,13 @@ The following fields are available: ### Update360Telemetry.UpdateAgentOneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. ### Update360Telemetry.UpdateAgentSetupBoxLaunch -The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date. +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The following fields are available: @@ -4814,7 +4792,7 @@ The following fields are available: - **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). - **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). - **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** An ID that uniquely identifies a group of events. - **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. @@ -4835,7 +4813,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. @@ -4856,7 +4834,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4877,7 +4855,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** A string to uniquely identify a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. @@ -4919,7 +4897,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). -- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4940,7 +4918,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. - **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. @@ -4961,7 +4939,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. - **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** Windows Update client ID. @@ -5001,7 +4979,7 @@ This event sends a summary of all the setup mitigations available for this updat ### Setup360Telemetry.Setup360OneSettings -This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date. +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. @@ -5021,7 +4999,7 @@ The following fields are available: - **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** A string to uniquely identify a group of events. - **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. @@ -5030,7 +5008,7 @@ The following fields are available: ### Microsoft.Windows.WERVertical.OSCrash -This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. The following fields are available: @@ -5043,7 +5021,7 @@ The following fields are available: - **DumpFileAttributes** Codes that identify the type of data contained in the dump file - **DumpFileSize** Size of the dump file - **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise -- **ReportId** WER Report ID associated with this bug check (used for finding the corresponding report archive in Watson). +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). ### WerTraceloggingProvider.AppCrashEvent @@ -5071,7 +5049,7 @@ The following fields are available: - **TargetAppId** The target app ID. - **TargetAppVer** The target app version. - + ## Windows Store events @@ -5486,7 +5464,7 @@ The following fields are available: - **CatalogId** The Store Catalog ID for the product being installed. - **ProductId** The Store Product ID for the product being installed. -- **SkuId** Specific edition of the app being updated. +- **SkuId** Specfic edition of the app being updated. ### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest @@ -5500,7 +5478,7 @@ The following fields are available: ## Windows Update Delivery Optimization events -### Microsoft.OSG.DU.DeliveryOptClient.Downloadcanceled +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. @@ -5866,7 +5844,7 @@ The following fields are available: - **detectionBlockreason** The reason detection did not complete. - **detectionDeferreason** A log of deferral reasons for every update state. - **errorCode** The error code returned for the current process. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was canceled, succeeded, or failed. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the device, if applicable. - **interactive** Indicates whether the user initiated the session. - **revisionNumber** The Update revision number. @@ -5933,7 +5911,7 @@ The following fields are available: - **batteryLevel** Current battery capacity in mWh or percentage left. - **deferReason** Reason for install not completing. -- **errorCode** The error code represented by a hexadecimal value. +- **errorCode** The error code reppresented by a hexadecimal value. - **eventScenario** End-to-end update session ID. - **flightID** The ID of the Windows Insider build the device is getting. - **flightUpdate** Indicates whether the update is a Windows Insider build. @@ -6436,6 +6414,3 @@ The following fields are available: - **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. - **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. - **UserId** The XUID (Xbox User ID) of the current user. - - -