diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index fe18116b84..d7bd10d059 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -423,6 +423,7 @@
 ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
 #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
 ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..c4409f0fd0
--- /dev/null
+++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,241 @@
+---
+title: Review events and errors on endpoints with Event Viewer 
+description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
+keywords: troubleshoot, event viewer, lof summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start
+search.product: eADQiWindows 10XVcnh
+ms.prod: W10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: iaanw
+---
+
+
+# Review events and errors on endpoints with Event Viewer
+
+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
+
+For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
+
+> **Note**&nbsp;&nbsp;It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
+
+**Open Event Viewer and find the Windows Defender ATP service event log:**
+
+1.  Click **Start**, type **Event Viewer**, and press **Enter**.
+
+2.  In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
+    open the log.
+
+  a.  You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
+
+    > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+
+3.  Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
+
+<table>
+<tbody style="vertical-align:top;">
+<tr>
+<th>Event ID</th>
+<th>Message</th>
+<th>Description</th>
+<th>Action</th>
+</tr>
+<tr>
+<td>1</td>
+<td>Windows Advanced Threat Protection service started (Version ```variable```).</td>
+<td>Occurs during system start up, shut down, and during onbboarding.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>2</td>
+<td>Windows Advanced Threat Protection service shutdown.</td>
+<td>Occurs when the endpoint is shut down or offboarded.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>3</td>
+<td>Windows Advanced Threat Protection service failed to start. Failure code: ```variable```</td>
+<td>Service did not start.</td>
+<td>Review other messages to determine possible cause and troubleshooting steps.</td>
+</tr>
+<tr>
+<td>4</td>
+<td>Windows Advanced Threat Protection service contacted the server at ```variable```.</td>
+<td>variable = URL of the Windows Defender ATP processing servers.<br>
+This URL will match that seen in the Firewall or network activity.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>5</td>
+<td>Windows Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
+<td>variable = URL of the Windows Defender ATP processing servers.<br>
+The service could not contact the external processing servers at that URL.</td>
+<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
+</tr>
+<tr>
+<td>6</td>
+<td>Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Onboarding must be run before starting the service.<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
+</tr>
+<tr>
+<td>7</td>
+<td>Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>8</td>
+<td>Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>9</td>
+<td>Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>10</td>
+<td>Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>11</td>
+<td>Windows Advanced Threat Protection service completed.</td>
+<td>The endpoint onboarded correctly.</td>
+<td>Normal operating notification; no action required.<br>
+It may take several hours for the endpoint to appear in the portal.</td>
+</tr>
+<tr>
+<td>12</td>
+<td>Windows Advanced Threat Protection failed to apply the default configuration.</td>
+<td>Service was unable to apply configuration from the processing servers.</td>
+<td>This is a server error and should resolve after a short period.</td>
+</tr>
+<tr>
+<td>13</td>
+<td>Service machine ID calculated: ```variable```</td>
+<td>Normal operating process.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>14</td>
+<td>Service cannot calculate machine ID. Failure code: ```variable```</td>
+<td>Internal error.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>15</td>
+<td>Windows Advanced Threat Protection cannot start command channel with URL: ```variable```</td>
+<td>variable = URL of the Windows Defender ATP processing servers.<br>
+The service could not contact the external processing servers at that URL.</td>
+<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
+</tr>
+<tr>
+<td>17</td>
+<td>Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>18</td>
+<td>OOBE (Windows Welcome) is completed.</td>
+<td>Service will only start after any Windows updates have finished installing.</td>
+<td>Normal operating notification; no action required.</td>
+</tr>
+<tr>
+<td>19</td>
+<td>OOBE (Windows Welcome) has not yet completed.</td>
+<td>Service will only start after any Windows updates have finished installing.</td>
+<td>Normal operating notification; no action required.<br>
+If this error persists after a system restart, ensure all Windows updates have full installed.</td>
+</tr>
+<tr>
+<td>20</td>
+<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```</td>
+<td>Internal error.</td>
+<td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
+</tr>
+<tr>
+<td>25</td>
+<td>Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>26</td>
+<td>Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```</td>
+<td>The endpoint did not onboard correctly.<br>
+It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>27</td>
+<td>Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```</td>
+<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
+Ensure real-time antimalware protection is running properly.</td>
+</tr>
+<tr>
+<td>28</td>
+<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+<tr>
+<td>30</td>
+<td>Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```</td>
+<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
+<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
+Ensure real-time antimalware protection is running properly.</td>
+</tr>
+<tr>
+<td>31</td>
+<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Check for errors with the Windows telemetry service](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
+</tr>
+<tr>
+<td>33</td>
+<td>Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```</td>
+<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
+If the identifier does not persist, the same machine might appear twice in the portal.</td>
+<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
+</tr>
+<tr>
+<td>34</td>
+<td>Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```</td>
+<td>An error occurred with the Windows telemetry service.</td>
+<td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
+Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
+</tr>
+</tr>
+</tbody>
+</table>
+
+
+
+## Related topics
+- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threate-protection.md)
+- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)
+- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
+- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 92624f61fb..f73c17f06e 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -58,7 +58,7 @@ If the **OnboardingState** value is not set to **1**, you can use Event Viewer t
 
 1. Click **Start**, type **Event Viewer**, and press **Enter**.
 
-2. In the **Event Viewer (Local)** pane, expand the **Applications and Services Logs** section, and then browse to the **Microsoft\Windows\SENSE** directory.
+2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
 
     > **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
 
@@ -183,7 +183,7 @@ First, you should check that the service is set to start automatically when Wind
 
 2.  Enter the following command, and press **Enter**:
 
-    ```doscon
+    ```text
     sc qc diagtrack
     ```
 
@@ -205,13 +205,13 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
 
 2.  Enter the following command, and press **Enter**:
 
-    ```doscon
+    ```text
     sc config diagtrack start=auto
     ```
 
 3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
 
-    ```doscon
+    ```text
     sc qc diagtrack
     ```
 
@@ -258,7 +258,7 @@ If the startup type is not set to **Automatic**, you'll need to change it so the
 
 2.  Enter the following command, and press **Enter**:
 
-    ```doscon
+    ```text
     sc query diagtrack
     ```
 
@@ -279,13 +279,13 @@ If the service **STATE** is not set to **RUNNING**, then you'll need to start it
 
 2.  Enter the following command, and press **Enter**:
 
-    ```doscon
+    ```text
     sc start diagtrack
     ```
 
 3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
 
-    ```doscon
+    ```text
     sc query diagtrack
     ```
 
@@ -329,242 +329,6 @@ To ensure that sensor has service connectivity, follow the steps described in th
 
 If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.    
 
-
-
-## Review events and errors on endpoints with Event Viewer
-
-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints, or check the status of machines from the [Windows Defender ATP portal](https://securitycenter.windows.com/).
-
-For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints.
-
-> **Note**&nbsp;&nbsp; It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
-
-1.  Click **Start** and type **Event Viewer**.
-
-2.  In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
-    open the log.
-
-    > **Note**&nbsp;&nbsp; SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
-
-3.  Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
-
-<table>
-<tbody style="vertical-align:top;">
-<tr>
-<th>Event ID</th>
-<th>Message</th>
-<th>Description</th>
-<th>Action</th>
-</tr>
-<tr>
-<td>1</td>
-<td>Windows Advanced Threat Protection service started (Version ```variable```).</td>
-<td>Occurs during system start up, shut down, and during onbboarding.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>2</td>
-<td>Windows Advanced Threat Protection service shutdown.</td>
-<td>Occurs when the endpoint is shut down or offboarded.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>3</td>
-<td>Windows Advanced Threat Protection service failed to start. Failure code: ```variable```</td>
-<td>Service did not start.</td>
-<td>Review other messages to determine possible cause and troubleshooting steps.</td>
-</tr>
-<tr>
-<td>4</td>
-<td>Windows Advanced Threat Protection service contacted the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
-This URL will match that seen in the Firewall or network activity.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>5</td>
-<td>Windows Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
-The service could not contact the external processing servers at that URL.</td>
-<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
-</tr>
-<tr>
-<td>6</td>
-<td>Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
-<td>Onboarding must be run before starting the service.<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
-</tr>
-<tr>
-<td>7</td>
-<td>Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>8</td>
-<td>Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>9</td>
-<td>Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>10</td>
-<td>Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>11</td>
-<td>Windows Advanced Threat Protection service completed.</td>
-<td>The endpoint onboarded correctly.</td>
-<td>Normal operating notification; no action required.<br>
-It may take several hours for the endpoint to appear in the portal.</td>
-</tr>
-<tr>
-<td>12</td>
-<td>Windows Advanced Threat Protection failed to apply the default configuration.</td>
-<td>Service was unable to apply configuration from the processing servers.</td>
-<td>This is a server error and should resolve after a short period.</td>
-</tr>
-<tr>
-<td>13</td>
-<td>Service machine ID calculated: ```variable```</td>
-<td>Normal operating process.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>14</td>
-<td>Service cannot calculate machine ID. Failure code: ```variable```</td>
-<td>Internal error.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>15</td>
-<td>Windows Advanced Threat Protection cannot start command channel with URL: ```variable```</td>
-<td>variable = URL of the Windows Defender ATP processing servers.<br>
-The service could not contact the external processing servers at that URL.</td>
-<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
-</tr>
-<tr>
-<td>17</td>
-<td>Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```</td>
-<td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>18</td>
-<td>OOBE (Windows Welcome) is completed.</td>
-<td>Service will only start after any Windows updates have finished installing.</td>
-<td>Normal operating notification; no action required.</td>
-</tr>
-<tr>
-<td>19</td>
-<td>OOBE (Windows Welcome) has not yet completed.</td>
-<td>Service will only start after any Windows updates have finished installing.</td>
-<td>Normal operating notification; no action required.<br>
-If this error persists after a system restart, ensure all Windows updates have full installed.</td>
-</tr>
-<tr>
-<td>20</td>
-<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```</td>
-<td>Internal error.</td>
-<td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
-</tr>
-<tr>
-<td>25</td>
-<td>Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>26</td>
-<td>Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```</td>
-<td>The endpoint did not onboard correctly.<br>
-It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>27</td>
-<td>Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```</td>
-<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
-Ensure real-time antimalware protection is running properly.</td>
-</tr>
-<tr>
-<td>28</td>
-<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```</td>
-<td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>29</td>
-<td>Windows Advanced Threat Protection service failed to read the offboarding parameters. Failure code: ```variable```</td>
-<td><span style="background-color:yellow;">Naama: Should I remove this error? Or just leave it as internal?</span></td>
-<td>TBD</td>
-</tr>
-<tr>
-<td>30</td>
-<td>Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```</td>
-<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
-<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
-Ensure real-time antimalware protection is running properly.</td>
-</tr>
-<tr>
-<td>31</td>
-<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```</td>
-<td>An error occurred with the Windows telemetry service.</td>
-<td>[Check for errors with the Windows telemetry service](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
-</tr>
-<tr>
-<td>32</td>
-<td>Windows Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: ```variable```</td>
-<td><span style="background-color:yellow;">Naama: Should I remove this error? Or just leave it as internal?</span></td>
-<td>TBD</td>
-</tr>
-<tr>
-<td>33</td>
-<td>Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```</td>
-<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
-If the identifier does not persist, the same machine might appear twice in the portal.</td>
-<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
-</tr>
-<tr>
-<td>34</td>
-<td>Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```</td>
-<td>An error occurred with the Windows telemetry service.</td>
-<td>[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
-</tr>
-<tr>
-<td>35</td>
-<td>Windows Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```</td>
-<td><span style="background-color:yellow;">Naama: Should I remove this error? Or just leave it as internal?</span></td>
-<td>TBD</td>
-</tr>
-</tbody>
-</table>
-
 <!--
 
 ## There are no users in the Azure Active Directory
diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
index 10afdbfb92..124f961411 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -19,15 +19,14 @@ author: mjcaparas
 
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
-###Server error - Access is denied due to invalid credentials
+### Server error - Access is denied due to invalid credentials
 If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
 Configure your browser to allow cookies.
 
 ### No data is shown on the portal
-If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist TI and DA endpoints and detonation endpoints that also use the this protocol.
+If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol.
 
-QUESTIONs TO NAMAA:
-- what dos TI AND DA stand for
+QUESTION TO NAMAA:
 - what are we referring to when we say "this protocol"
 thanks, joey
 
@@ -35,6 +34,7 @@ thanks, joey
 Depending on your region, add the following endpoints to the whitelist:
 
 U.S. region:
+
 - threatintel-cus-prd.cloudapp.net
 - threatintel-eus-prd.cloudapp.net
 - dataaccess-cus-prd.cloudapp.net
@@ -49,6 +49,10 @@ EU region:
 - dataaccess-neu-prd.cloudapp.net
 - dataaccess-weu-prd.cloudapp.net
 
+### Windows Defender ATP service shows event or error logs in the Event Viewer
+
+See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
+
 
 ### Related topic
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

Event ID	Message	Description	Action
1	Windows Advanced Threat Protection service started (Version ```variable```).	Occurs during system start up, shut down, and during onbboarding.	Normal operating notification; no action required.
2	Windows Advanced Threat Protection service shutdown.	Occurs when the endpoint is shut down or offboarded.	Normal operating notification; no action required.
3	Windows Advanced Threat Protection service failed to start. Failure code: ```variable```	Service did not start.	Review other messages to determine possible cause and troubleshooting steps.
4	Windows Advanced Threat Protection service contacted the server at ```variable```.	variable = URL of the Windows Defender ATP processing servers. +This URL will match that seen in the Firewall or network activity.	Normal operating notification; no action required.
5	Windows Advanced Threat Protection service failed to connect to the server at ```variable```.	variable = URL of the Windows Defender ATP processing servers. +The service could not contact the external processing servers at that URL.	Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).
6	Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.	The endpoint did not onboard correctly and will not be reporting to the portal.	Onboarding must be run before starting the service. +Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
7	Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```	The endpoint did not onboard correctly and will not be reporting to the portal.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
8	Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```	The endpoint did not onboard correctly and will not be reporting to the portal.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
9	Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```	The endpoint did not onboard correctly and will not be reporting to the portal.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
10	Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```	The endpoint did not onboard correctly and will not be reporting to the portal.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
11	Windows Advanced Threat Protection service completed.	The endpoint onboarded correctly.	Normal operating notification; no action required. +It may take several hours for the endpoint to appear in the portal.
12	Windows Advanced Threat Protection failed to apply the default configuration.	Service was unable to apply configuration from the processing servers.	This is a server error and should resolve after a short period.
13	Service machine ID calculated: ```variable```	Normal operating process.	Normal operating notification; no action required.
14	Service cannot calculate machine ID. Failure code: ```variable```	Internal error.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
15	Windows Advanced Threat Protection cannot start command channel with URL: ```variable```	variable = URL of the Windows Defender ATP processing servers. +The service could not contact the external processing servers at that URL.	Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).
17	Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```	An error occurred with the Windows telemetry service.	[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled) +Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
18	OOBE (Windows Welcome) is completed.	Service will only start after any Windows updates have finished installing.	Normal operating notification; no action required.
19	OOBE (Windows Welcome) has not yet completed.	Service will only start after any Windows updates have finished installing.	Normal operating notification; no action required. +If this error persists after a system restart, ensure all Windows updates have full installed.
20	Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```	Internal error.	If this error persists after a system restart, ensure all Windows updates have full installed.
25	Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```	The endpoint did not onboard correctly and will not be reporting to the portal.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
26	Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```	The endpoint did not onboard correctly. +It will report to the portal, however the service may not appear as registered in SCCM or the registry.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
27	Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```	Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +Ensure real-time antimalware protection is running properly.
28	Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```	An error occurred with the Windows telemetry service.	[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled). +Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
30	Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```	Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.	Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +Ensure real-time antimalware protection is running properly.
31	Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```	An error occurred with the Windows telemetry service.	[Check for errors with the Windows telemetry service](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
33	Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```	A unique identifier is used to represent each endpoint that is reporting to the portal. +If the identifier does not persist, the same machine might appear twice in the portal.	Check registry permissions on the endpoint to ensure the service can update the registry.
34	Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```	An error occurred with the Windows telemetry service.	[Ensure the telemetry service is enabled](#ensure-that-the-telemetry-and-diagnostics-service-is-enabled). +Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)